Relevance clause for computed relevance messaging

ABSTRACT

The invention disclosed herein enables a collection of computers and associated communications infrastructure to offer a new communications process which allows information providers to broadcast information to a population of information consumers. The information may be targeted to those consumers who have a precisely formulated need for the information. This targeting may be based on information which is inaccessible to other communications protocols. The targeting also includes a time element. Information can be brought to the attention of the consumer precisely when it has become applicable, which may occur immediately upon receipt of the message, but may also occur long after the message arrives. The communications process may operate without intruding on consumers who do not exhibit the precisely-specified need for the information, and it may operate without compromising the security or privacy of the consumers who participate.

[0001] This application is a continuation of U.S. Ser. No. 09/315,732,filed May 20, 1999; which is a divisional of U.S. Ser. No. 09/272,937,filed Mar. 19, 1999.

BACKGROUND OF THE INVENTION 1. Technical Field

[0002] The invention relates to a new process of communication usingcomputers and associated communications infrastructure. Moreparticularly, the invention relates to a method and apparatus forcomputed relevance messaging.

[0003] 2. Description of the Prior Art

[0004] The aim of a communications process is to relay informationbetween pairs of actors who, for purposes of the discussion herein,consist of an information provider and an information consumer. Thefollowing briefly discusses the concerns of each party.

[0005] Concerns of Information Provider

[0006] The information provider knows of pieces of information and ofcorresponding situations in which certain consumers would find thosepieces of information interesting, useful, or valuable. For example,such pieces of information may concern problems consumers who haveparticular attributes might be interested in solving or that concernopportunities of interest to consumers having such particularattributes. The provider wishes to distribute the information to thoseconsumers in those specific situations.

[0007] In principle, an information provider might know of thousands ormillions of conditions about which it can offer information. Theaudience for such conditions might involve thousands or millions ofconsumers.

[0008] A particularly interesting situation is where a typical piece ofinformation should be directed only to consumers having a very specialcombination of circumstances. A typical piece of information would inprinciple be of interest to only a small fraction of the consumer base,but where this small fraction nevertheless amounts to large number ofconsumers.

[0009] A challenging but very important case occurs when verifying whenthe conditions for applicability of a certain piece of informationrequires knowing a great deal of detailed information about theconsumer, his concerns and affiliations, or his property. Thisinformation might be considered very sensitive by consumers, who wouldnot want to participate in a process that required disclosure of theinformation to the provider. Therefore, it might seem impossible totarget the information to consumers because only the consumers haveaccess to the information required to make the determination that theinformation applies to them, and they are unwilling to expend the effortto make a determination themselves, or to give others access to thesensitive information required to make the determination on theirbehalf.

[0010] Concerns of Information Consumer

[0011] The consumer is an individual or organization that knows ofinformation providers who have information of potential benefit to them.The consumer may in fact know of tens or hundreds of such providers.Typically, at any given moment, only a small fraction of the informationbeing offered by the information provider is of potential interest tothe consumer. The consumer does not want to review all the informationavailable from the information provider. He would prefer to see thesubset consisting of information, which is relevant to the consumer.

[0012] Typically, the information which the provider is offering changeswith time and the conditions experienced by the consumer are changingwith time. The consumer would prefer not to have to track changescontinually in his own status and the status of the informationprovider's offerings. He would also prefer not to have to remember thatpieces of information published some time before could have suddenlybecome applicable.

[0013] The consumer would prefer that a procedure be available forautomatically detecting the existence of applicable information as itbecame applicable, either because the consumer's situation had changed,because the information provider's offerings had changed, or because theconditions for applicability of the information involved timeconsiderations which had become applicable. The consumer would prefernot to reveal to the provider information about his identity or thedetails of his interests, preferences, and possessions. Rather, theconsumer would prefer to receive information in a form where he maycarefully study it before using it.

[0014] The consumer would also prefer to have a method to inform himselfabout known problems with an information provider or with a certainpiece of information before using the information. Typically, theconsumer would prefer that if the decision to use a piece of informationis made, the application of the information is painless and essentiallyautomatic. The consumer would prefer to be insulated from the prospectof damage caused by incorrect information.

[0015] It would therefore be advantageous to provide a communicationstechnique that addressed each of the above concerns with regard to boththe information provider and the information consumer.

SUMMARY OF THE INVENTION

[0016] The invention disclosed herein enables a collection of computersand associated communications infrastructure to offer a newcommunications process. This process allows information providers tobroadcast information to a population of information consumers. Theinformation may be targeted to those consumers who have a preciselyformulated need for the information. This targeting may be based oninformation which is inaccessible to other communications protocols, forexample because under other protocols the targeting requires eachpotential recipient to reveal sensitive information, or because underother protocols the targeting requires each potential recipient toreveal information obtainable only after extensive calculations usingdata available only upon intimate knowledge of the consumer computer,its contents, and local environment.

[0017] The targeting also includes a time element. Information can bebrought to the attention of the consumer precisely when it has becomeapplicable, which may occur immediately upon receipt of the message, butmay also occur long after the message arrives. Again, this is a featureinaccessible under other communication protocols, where the time ofdistribution of information and the time of consumer notification areclosely linked.

[0018] The communications process may operate without intruding onconsumers who do not exhibit the precisely-specified need for theinformation, and it may operate without compromising the security orprivacy of the consumers who participate. For example, in oneimplementation, the information provider does not learn the identity orattributes of the individuals who receive this information.

[0019] This process enables efficient solutions to a variety of problemsin modern life, including the automated technical support of moderncomputers. In the technical support application, the disclosed inventionallows a provider to reach precisely those specific computers in a largeconsumer population which exhibit a specific combination of hardware,software, system settings, data, and local environment, and to offer theusers of those computers appropriate remedies to correct problems knownto affect computers in such situations.

[0020] The presently preferred embodiment of the invention is speciallytuned to address the concerns of consumers and providers in a technicalsupport application. Many other interesting applications areas andembodiments of the invention are also described herein.

[0021] This particular embodiment of the invention is described asfollows:

[0022] Actors, referred to herein as advice providers, authoradvisories, which are specially structured digital documents which maycontain:

[0023] (1) Humanly-interpretable content, such as text and multimedia;

[0024] (2) Computer-interpretable content, such as executable programsand data; and

[0025] (3) Expressions in a special computer language called therelevance language.

[0026] The relevance language describes precise conditions under which agiven advisory may be relevant to a consumer, by referring to propertiesof the environment of the consumer computer interpreting the message,such as system configuration, file system contents, attachedperipherals, or remotely accessible data. The humanly-interpretablecontent in an advisory may describe the condition that triggered therelevance determination and propose an action in response to thecondition, which could range from installing software to changing systemsettings to purchasing information or software. Thecomputer-interpretable content may include software which performs acertain computation or effects a certain change in the systemenvironment.

[0027] Advisories are communicated by a process ofpublication/subscription over a wide-area network such as the Internet.Advisories are placed by their authors at well-known locations, referredto herein as advice sites. Applications referred to as advice readersrunning on the computers of advice consumers periodically obtainadvisories from advice servers which operate at advice sites.

[0028] Advice readers process the messages so obtained and automaticallyinterpret the relevance clauses. They determine whether a given messageis relevant in the environment defined by the consumer's computer andassociated devices. The user is then notified of those messages whichare relevant, and the user may read the relevant advisories and invokethe recommended actions.

[0029] Relevance evaluation is conducted by parsing relevance languageclauses into constituent method dispatches. These clauses invokespecific inspectors which can return specific properties of thecomputer, its configuration, its file system, or other component ofinterest. In effect, the list of properties of the environment which maybe referred to in the relevance language and verified by the advicereader is determined by the contents of the inspector library installedat run-time.

[0030] The existence of standard inspector libraries provides the adviceprovider with a rich vocabulary for describing the state of the consumercomputer and its environment. In one implementation, the collection ofinspector libraries can be dynamically expanded by advice providers.

[0031] Advice readers operate continually in an automatic mode,gathering advice from many advice providers distributed across publicnetworks such as the Internet, and diagnosing relevance as it occurs.

[0032] Advice readers following an advice gathering protocol, referredto herein as Anonymous Exhaustive Update Protocol, may operate in amanner which fully respects the privacy of the computer's owner.information resulting from the relevance determination, i.e. informationobtained from the consumer computer, does not leak out to the server.Information on the consumer computer stays on the consumer computerunless the consumer approves its distribution.

[0033] Many variations on this specific embodiment are described indetail, including variations which have very different applications,very different message formats, very different gathering protocols, verydifferent security and privacy attributes, very different methods ofdescribing the consumers to whom a message may be relevant, and verydifferent trust relationships between consumer and provider (e.g.master-slave relationships). The disclosed invention is shown to becapable of effective embodiment in all these settings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0034]FIG. 1 is a block diagram showing the process of matchingadvisories to consumers according to the invention;

[0035]FIG. 2 is a block diagram showing an advisor viewpoint accordingto the invention;

[0036]FIG. 3 is a block diagram showing a consumer viewpoint accordingto the invention;

[0037]FIG. 4 is a flow diagram showing a technical support applicationaccording to the invention;

[0038]FIG. 5 is a block diagram showing an advice site according to theinvention;

[0039]FIG. 6 is a block diagram showing an advice reader according tothe invention;

[0040]FIG. 7 is a block diagram showing consumer response to relevancenotification according to the invention;

[0041]FIG. 8 is a data structure showing an advisory according to theinvention;

[0042]FIG. 9 is a block diagram showing the process of relevanceevaluation according to the invention;

[0043]FIG. 10 is a flow diagram showing expression tree generationaccording to the invention;

[0044]FIG. 11 is a block diagram showing named property method dispatchaccording to the invention;

[0045]FIG. 12 is a flow diagram showing an object evaluation modelaccording to the invention;

[0046]FIG. 13 is a flow diagram showing an object hierarchy according tothe invention;

[0047]FIG. 14 is a flow diagram showing a new component of an objecthierarchy according to the invention;

[0048]FIG. 15 is a data structure showing the contents of an inspectorlibrary according to the invention;

[0049]FIG. 16 is a block diagram showing situational advice according tothe invention;

[0050]FIG. 17 is a block diagram showing simulate d conditions accordingto the invention;

[0051]FIG. 18 is a block diagram showing a commodity market according tothe invention;

[0052]FIG. 19 is a flow diagram showing a relevance-adapted documentaccording to the invention;

[0053]FIG. 20 is a flow diagram showing questionnaire processingaccording to the invention;

[0054]FIG. 21 is a flow diagram showing a mandatory feedback variantaccording to the invention;

[0055]FIG. 22 is a flow diagram showing a consumer feedback variantaccording to the invention;

[0056]FIG. 23 is a flow diagram showing masked bi-directionalcommunication by an anonymous server according to the invention;

[0057]FIG. 24 is a flow diagram showing a further mandatory advicevariant according to the invention; and

[0058]FIG. 25 is a block diagram showing remove relevance invocationaccording to the invention.

DETAILED DESCRIPTION OF THE INVENTION

[0059] The invention implements a process of communication whichsystematically solves the problem of linking an information provider toinformation consumer. The invention provides a system which depends onthe use of computational devices connected by communications networks.In actual practice, these devices could range from traditionallarge-scale computers to personal computers to handheld personalinformation managers to embedded computational devices in the ambientenvironment, including consumer appliances such as remote controls andsmart TVs, or other common computationally-dense environments, such astransportation vehicles. The communications mechanisms could include amodem or other wired media, or wireless communications, using theInternet or other protocols, and could include the physical distributionof media. Whatever the specific instance, for purposes of the discussionherein, the computational device shall be referred to as a computer andthe communications infrastructure shall be referred to as a network.Typical examples of such infrastructure include intranets (privatecomputer networks), and the Internet, the large public computer networkthat hosts the World Wide Web and related services.

[0060] The invention architecture is best understood if a specificterminology is adopted, which evokes a focused instance of the abovedescribed communications problem. The specific units of information tobe shared henceforth are referred to as pieces of advice (see FIG. 1).The special digital documents conveying advice are referred to asadvisories. An advice provider 10 is an organization or individual whichoffers information in the form of advisories 12 a-12 d. The provider isrepresented by a server computer in a communicating network ofcomputers. An advice consumer 14 a-14 c is an organization or individualwhich receives information in the form of advisories. The consumer isrepresented by a computer referred to as the consumer computer in acommunicating network of computers.

[0061] It is helpful to think in concrete terms, and to suppose that theadvice provider is in fact a large organization running a large-scaleserver computer; that the advice consumer is in fact an individualrepresented by a single personal computer, smart TV, personalinformation manager, or other personal computational device; and tosuppose that the network of computers may communicate according to aprotocol similar to the TCP/IP protocol now in use by the Internet. Inactual practice, many variations can be expected. For example, an adviceprovider may constitute an individual represented by a personalcomputer, an advice consumer may be a corporation represented by alarge-scale computing engine, and the communications process underlyingthe invention may be realized with other protocols operating over otherphysical means of communication.

[0062] Using this terminology, it is now possible to describe a keypurpose of the invention. The invention allows one to relay advisoriesfrom advice providers to advice consumers. The communications protocolallows narrowly-focused targeting by automatically matching advisorieswith consumers for whom those advisories are relevant.

[0063] Relevance determination (see FIG. 2) is carried out by anapplications program, referred to as the advice reader 20 which runs onthe consumer computer and may automatically evaluate relevance based ona potentially complex combination of conditions, including:

[0064] 1. Hardware Attributes. These are, for example, the type ofcomputer on which the evaluation is performed, the type of hardwareconfiguration 21, the capacity and uses of the hardware, the type ofperipherals attached, and the attributes of peripherals.

[0065] 1. Configuration attributes. These are, for example, values ofsettings for variables defined in the system configuration 22, the typesof software applications installed, the version numbers and otherattributes of the software, and other details of the softwareinstallation 27.

[0066] 1. Database attributes. These are, for example, attributes offiles 23 and databases on the computer where evaluation is performed,which may include existence, name, size, date of creation andmodification, version, and contents.

[0067] 3. Environmental attributes. These are, for example, attributeswhich can be determined after querying attached peripherals to learn thestate of the environment in which the computer is located. Attributesmay include results of thermal, acoustic, optical, geographicpositioning, and other measuring devices.

[0068] 3. Computed attributes. These are, for example, attributes whichcan be determined after appropriate computations based on knowledge ofhardware, configuration, and database and environmental attributes, byapplying specific mathematico-logical formulas, or specificcomputational algorithms.

[0069] Remote attributes 24. These are, for example, hardware,configuration, database, environmental, and computed attributes that areavailable by communicating with other computers having an affinity forthe consumer or his computer.

[0070] 3. Timeliness 25. These are, for example, attributes based on thecurrent time, or a time which has elapsed since a key event, such asrelevance evaluation or advice gathering.

[0071] 3. Personal attributes. These are, for example, attributes aboutthe human user(s) of the computer which can either be inferred byanalysis of the hardware, the system configuration, the databaseattributes, the environmental attributes, the remote attributes, or elsecan be obtained by soliciting the information directly from the user(s)or their agents.

[0072] 1. Randomization 26. These are, for example, attributes resultingfrom the application of random and pseudo-random number generators.

[0073] Advice Attributes 27. These are, for example, attributesdescribing the configuration of the invention and the existence ofcertain advisories or types of advisories in the pool of advice.

[0074] In this way, whatever information is actually on the consumercomputer or reachable from the consumer computer may in principle beused to determine relevance. The information accessible in this way canbe quite general, ranging from personal data to professional workproduct to the state of specific hardware devices. As a result, anextremely broad range of assertions can be made the subject of relevancedetermination.

[0075] The advice reader 30 (see FIG. 3) may operate automatically todetermine relevance. It may present to the consumer a display ofrelevant advisories 32 only from several advice sites 33 a-33 c, so thatthe consumer is not burdened with the task of reading irrelevantadvisories. In this way advisories may provide an automatic diagnosis 34to any problem which a relevance clause may describe.

[0076] Advisories are digital documents which may contain an explanatorycomponent, describing in terms the consumer can easily understand thereason that the advisory is relevant and the purpose and effects of theaction which is being recommended to the consumer. These digitaldocuments may also contain, as another component, executable computerprograms, or links to executable computer programs. In this wayadvisories may provide an automatic solution to any problem which therelevance message may have diagnosed, and which may be activated at theconsumer's discretion.

[0077] In short, the invention posits a situation where proactive adviceproviders identify situations of interest to consumers and provideadvice about dealing with such situations.

[0078] Computer Technical Support Application.

[0079] To make the above generalities more concrete, a particularapplication area is described where this communications process may beof considerable utility (see FIG. 4).

[0080] In the technical support application, the advice provider offersa computer-related product or service, such as hardware, software,Internet service, or data processing service. The advice provider has apotentially large, potentially widely distributed customer base 40. Inpart from user input 42, the advice provider knows of problematicsituations 41 which may affect certain computers belonging to thecustomers. The advice provider identifies these problematic situations43, which may include the use of out-of-date versions of software,improper system settings, conflicting combinations of softwareapplications, inadequate physical resources, corrupted files, othersimilar phenomena. The advice provider may know, for each problematicsituation, a precise combination of hardware, system configuration,database configuration, timeliness, and other attributes which maysignal the situation. The advice provider may know a precise solution 44to each problematic situation, which may include:

[0081] A suggestion to the user to modify usage patterns;

[0082] A suggestion to the user to read a document;

[0083] A proposal to upgrade to a new software version;

[0084] A proposal to modify system settings;

[0085] A proposal to run a certain script to effect a solution; or

[0086] A proposal to download and execute special applications tocorrect the situation.

[0087] The advice provider authors an advisory 45, which is thenpreferably tested 46, and made available to relevant users at an advicesite 47. In this way, the advice provider can use invention to reach theconsumer population efficiently. The provider packages the informationabout the specific situation as a formal advisory concerning thesituation. This digital document may include:

[0088] A precise formal-language specification of conditions under whichthe situation occurs;

[0089] Explanatory information intended for consumers who are in thegiven situation, describing to those consumers the situation they arein, the implications of the situation, and the providers proposedactions to correct the situation; or

[0090] Digital content providing automatic solution or response.

[0091] The advice provider publishes the advisory 40 over the Internetor an Intranet, through an advice server running at the provider'sadvice site. For example (see FIG. 5), the advice site may comprise adirectory of advice files 51 a-51 b and inspector files 52 a-52 b(discussed below). These advisories may be communicated to the outsideworld 54 via such media as a directory message server 55, an HTTP server56, and FTP server 57, or a file server 58.

[0092] The advice consumer is a user of the products and services of theadvice provider who knows of the advice provider's advice site andgenerally trusts the provider's organization and the advice that itauthors. The advice consumer has available on his computer the advicereader application. The advice consumer instructs his advice reader tosubscribe to the advice site offered by the advice provider.

[0093] The advice reader 20 (see FIG. 6), at scheduled intervals orunder user manual control via a user interface 65, gathers advisories towhich the user subscribes. Subscription to advisories are entered with asubscription manager 67 based, at least in part, on information invarious user site definition files 68. Advisories are gathered from theadvice provider's advice sites 33 a-33 b using a gatherer 60. The readerthen parses the advisories using an unwrapper 61 and adds theseadvisories to any already existing body of advisories. Advisories may beprovided to the reader via any of several sources, including alternateinput streams 62. The advice reader determines the relevance of any ofthe existing or new advisories with a relevance evaluation module 63.This determination is made either continuously, at scheduled intervals,or under user manual control. The advice reader includes a userinterface 65 that receives relevant advisories and a display andmanagement system 66 that displays relevant advisories for inspection bythe consumer the relevant advisories. In some embodiments of theinvention, an advisory may also be subject to digital verification usinga verification module 64 (discussed in greater detail below).

[0094] A typical relevant advisory is reported to a consumer as follows:

[0095] Your computer has a certain combination of hardware and softwareand settings. Computers with this combination have frequently beenreporting a particular problem. Our company has a solution. It willchange your computer settings. If you accept to use this solution, yourproblem will go away. This solution has been rigorously tested beforerelease, and represents our best known way of dealing with this problem.

[0096] The advice consumer reviews such relevant advisories 100 (seeFIG. 7), and acts on the advisories 110, for example by ignoring theadvisory 111. Otherwise, the user potentially deliberates, whichdeliberation may include informing himself further about the advisory orits author 112, informing others of the advisory 113, or taking someother offline action 114 and then, depending on the outcome of thedeliberation, he approves or denies approval. If the consumer givesapproval, an automatic solution may result, which may involve a varietyof activities, including software downloading 72, installation, andexecution 71, an automatic electronic response 73, or the purchase ororder of a digital object 70.

[0097] This particular application area shows how invention can be usedto diagnose and fix problems on a computer automatically. There are manyother applications areas of the invention, which may involve makingcommercial transactions rather than fixing computer problems, oroffering new forms of private communications.

[0098] Responsiveness to Concerns

[0099] The invention is fully responsive to the concerns discussedabove.

[0100] Provider Concerns

[0101] Large Scale Communications.

[0102] In common with other computer-mediated communications systems,such as the world-wide web, the invention is able to reach a largenumber of consumers and convey to them a large body of informationalmessages, at low cost.

[0103] Automatic Operation.

[0104] The matching of information to consumers is done without the needfor case-by-case intervention of skilled human operatives.

[0105] Exclusive Targeting.

[0106] The invention enables information to flow precisely to theappropriate consumers. The provider can guarantee this by carefullyspecifying the conditions under which a piece of advice is relevant.

[0107] Targeting with Intimate Knowledge.

[0108] Information targeting in the invention is precisely focused onthe attributes of the consumer because it has access to intimateknowledge of the inner details of the consumer computers state, withoutnecessarily disclosing this knowledge to the provider. This degree oftargeting is not possible under other protocols because other protocolsrequire disclosure of this information to the provider to determine if apiece of information is relevant.

[0109] Consumer Concerns

[0110] The invention satisfies the main consumer concerns mentionedearlier.

[0111] Automatic Unattended Operation.

[0112] The invention is an automated messaging system which operatessuccessfully with infrequent consumer involvement. The advice reader canperiodically gather new advice from advice sites that it subscribes to.This process may be fully automatic (manual intervention is alsoavailable). The databases of advice resident on the consumer computermay be continually evaluated for relevance by automated unattendedoperation of the advice reader.

[0113] Provision of Narrowly Targeted Information.

[0114] In a typical mode of operation, the consumer only seesinformation relevant to his precise attributes, including attributesderivable from the contents of his computer, associated peripherals andaffiliated computers.

[0115] Timely Provision of Information.

[0116] In a typical mode of operation, a piece of advice may enter theconsumer computer and remain resident for an extended period of timebefore becoming relevant. information is displayed when it has becomeapplicable, not before it does.

[0117] Opportunity for Deliberation.

[0118] Typically, the advice reader does not automatically apply arecommended solution operator. Rather, the advice reader gives theconsumer the chance to study the diagnosis and recommendation, and toevaluate the credibility of the provider, before proceeding. There arethree special aspects to the deliberation process available ininvention:

[0119] Disclosure of Potential Risks. By exploiting known user interfacemethods, such as HTML display with hypertext links, the inventionenables advice providers to inform consumers fully about potential risksassociated with following a certain recommended course of action.

[0120] Discovery of Consumer Complaints. Via devices to be discussedbelow (such as the Better Advice Bureau) consumers may use the advisorymechanism to inform themselves about the existence of known andforeseeable privacy and security risks associated with specificadvisories and/or advice providers before accepting proposed solutions.

[0121] Correction of Known Defects. The invention allows adviceproviders to retract their own faulty advice. An instance of this is theUrgentAdviceNet mechanism (discussed below) for rapidly distributingadvisories to the invention population.

[0122] Automated Solution.

[0123] Typically the advice provider authors an advisory in such a waythat the advice reader offers it to the user to apply a recommendedsolution operator automatically after the user has given approval. Thus,the invention offers an automated solution to the user's condition underuser guidance.

[0124] In short, the invention provides a mechanism to match consumerswith highly specific relevant advisories efficiently in a communicationsstructure which is responsive to consumer concerns.

[0125] Security and Privacy Technique: One-way Membrane

[0126] The disclosed invention offers a comprehensive process forcomputed-relevance messaging. This is a broad idea, with many possibleapplications. In certain settings, this type of messaging must beimplemented in a fashion which pays special attention to security andprivacy concerns, i.e. a one-way membrane 35 (see FIG. 3). For aconcrete instance, consider the technical support application (discussedabove), where:

[0127] Communication must take place over public networks such as theInternet;

[0128] The advice provider is a large business or other concern; and

[0129] Advice consumers make up a widely distributed group of lay users.

[0130] In this setting, consumers have special concerns about anyprocess which functions as if it had intimate knowledge of theconsumer's computer and its contents. These concerns are legitimatebecause the Internet is widely known as an insecure communicationsmedium. Hence, systems which interact with the Internet, and whichappear to function as if they had intimate knowledge about a user, mightappear to enable privacy intrusions.

[0131] The invention addresses this problem by proposing a method ofinteraction between the consumer computer and the Internet whichprotects the consumer's privacy. This mechanism need not be used inother settings. For example, in certain private computer networks,commonly referred to as intranets, the invention has a variety ofapplications. In such settings, security and privacy are consideredguaranteed by physical control of the computer and communicationsinfrastructure involved, and possibly by contracts creating obligationson the participants in the process.

[0132] The invention employs a special protocol for subscription andgathering in the security and privacy critical setting. For purposes ofthe discussion herein, this setting is referred to as the AnonymousExhaustive Update Protocol (AEUP). The intention of this interactionprotocol is to create a one-way membrane, where information can enterthe consumer computer in the form of advisories, but information aboutthe consumer does not leave the consumer computer unless it is theconsumer who initiates the transfer.

[0133] The AEUP protocol is described as the default protocol of theinvention. The reasons that this protocol offers consumers privacy isdiscussed below. This document also describes many applications wheresecurity and privacy are not critical to acceptance by the consumer.Thus, it is possible to provide a certain degree of security and privacyprotection without using this protocol. See below for a discussion ofalternative protocols, such as the Anonymous Selective Update Protocol(ASUP).

[0134] A comprehensive discussion of privacy and security concerns isgiven below. The invention addresses:

[0135] Consumer Privacy Concerns. The invention fully respects consumerprivacy concerns. In an implementation offering AEUP, consumers maybenefit from narrowly-targeted advice without ever needing to revealtheir identity, nor any of the attributes that were checked indetermining relevance, nor the fact of relevance itself.

[0136] Consumer Initiative. In a typical mode of operation, no advice isreceived by the advice reader unless the consumer initiated thesubscription. This protects the consumer from unwanted communications.

[0137] Privacy of Automatic Operations. Under AEUP, the operation ofgathering advice from sites, the operation of evaluating relevance, andthe operation of displaying relevant advice to the consumer need notresult in the disclosure of consumer data to the advice provider.

[0138] Frustration of Intrusions. Certain embodiments of the inventioncontain mechanisms, described below, to prevent compromises of privacyeven in case of certain illegal eavesdropping activities

[0139] Consumer Security Concerns. The invention fully respects consumersecurity concerns. In an implementation offering AEUP, consumers maybenefit from narrowly-targeted advice without exposing themselves tosecurity threats from malicious sources.

[0140] Consumer Initiates Subscriptions. In a typical mode of operation,no advice is received by the advice reader unless the consumer initiatedthe subscription. The process of subscription to an advice site connoteslimited trust by the consumer for the provider. Hence, in typicaloperation, advice is only received from trusted sites.

[0141] Harmlessness of Automatic Operations. Typically, the process ofgathering and evaluating advisories has no noticeable effects on thecomputer system. Any recommended solution is applied only upon priornotification of the user and subsequent approval. Consumers who useinvention to merely peruse relevant messages, but do not follow therecommended actions, face no significant risk.

[0142] 2. Disclosure of Potential Risks. By exploiting known userinterface methods, such as HTML display with hypertext links, theinvention enable advice providers to inform consumers fully aboutpotential risks associated with following a certain recommended courseof action.

[0143] 2. Discovery of Consumer Complaints. Via devices that arediscussed below (such as the Better Advice Bureau), consumers may usethe advisory mechanism disclosed herein to inform themselves about theexistence of known and foreseeable privacy and security risks associatedwith specific advisories and/or advice providers before acceptingproposed solutions.

[0144] Correction of Known Defects. The invention allows adviceproviders to retract their own faulty advice. It allows other people tocriticize an advice providers faulty advice.

[0145] 2. Automated Solution. The advice provides typically authors anadvisory in such a way that the advice reader offers to apply arecommended solution operator automatically to the user system after theuser has given approval.

[0146] Thus, the invention provides a mechanism for efficiently matchingconsumer with highly specific relevant advisories in a communicationsstructure which is responsive to consumer concerns.

[0147] Layers of Invention

[0148] The present document describes computed relevance messaging frommany viewpoints, i.e. from one extreme of a general communicationsprocess to the other extreme of a set of specific protocols that havebeen implemented by Universe Communications, Inc. of Berkeley, Calif. Itis worthwhile to classify the several layers of the invention asdescribed herein:

[0149] Relevance Guided Messaging. The general communications processused by the invention has five elements (see FIG. 8):

[0150] A Relevance Clause 80. An assertion about the state of a consumercomputer, its contents, or environment which can be automaticallyevaluated by comparing the assertion with the consumer computer's actualstate. Typically, the relevance clause is preceded by a subject line 82which gives a general description of the advisory's subject matter.

[0151] An Associated message 81. A message or messages associated withthe clause whose suitability for the consumer is determined at leastpartially by the evaluation of the clause.

[0152] A Gatherer 60 (see FIG. 6). An application that sees to it thatrelevance clauses flow into the consumer computer from variouslocations, perhaps by regular synchronization.

[0153] A Watcher 63 (see FIG. 6). An application that has the ability toevaluate relevance clauses, i.e. assertions about consumer computer'sown environment, by comparing them with the actual state of theenvironment, and by inspecting properties of the consumer computer andits environment and checking if these point towards or away fromrelevance.

[0154] A Notifier 65, 66 (see FIG. 6). An application that has theability to display messages to a user under at least partial guidance ofan evaluated relevance clause.

[0155] A key difference of the invention from other targeted informationproviders is that the invention provides a detailed tool for tappinginto very highly defined targets, which other protocols for targetinginformation cannot match because they do not routinely have access tothe state of the consumer's environment.

[0156] The details of relevance guarded messaging are less importantthan this five-part model. For example, in one implementation, thefive-part model is run on a computer network in a secure network such asa corporate intranet. In another implementation, the five-part model isrun on a public computer network such as the Internet. Certain concernsthat affect the public setting (e.g. security and privacy) might becompletely irrelevant in the private setting, where those concerns areaddressed by the physical control of the network. In either setting, thebasic five-part model of relevance guarded messaging makes a valuablecontribution to connecting providers with consumers.

[0157] It is important to note that this five-part model may haveembodiments in which these five parts are not immediately evident.Potential implementations which make it clear that there can be manysuperficially different ways of achieving this basic structure aredescribed below. For example, the relevance clause and the associatedmessage may be packaged together in the same file and communicatedsimultaneously. In a different embodiment, the relevance guarded messagecan be communicated in two stages, where the first stage sends arelevance clause, and the second part is sent only if the first partleads to a relevant result and if the consumer computer asks theprovider for the second part. Conceptually, the same useful effect canbe obtained using either of these two messaging protocols. Both methodsare embodiments of the same invention.

[0158] Relevance Guarding with Security and Privacy.

[0159] Owing to the tremendous importance of public networks, such asthe Internet, an implementation of the five-part model which alsoaddresses fundamental privacy and security concerns is of greatsignificance. The mechanism by which the basic five-part model isextended (e.g. through AEUP, ASUP, or substantially equivalentprotocols) to become a secure and private system over public networks isan important embodiment of the disclosed invention. It is potentiallyhelpful for the broad consumer acceptance of computed relevancemessaging.

[0160] Preferred Embodiment of the Invention.

[0161] The presently preferred embodiment of the invention consists of alarge collection of different interacting components, carefully designedto meet the goals underlying this system. The many subsystems illustratethe potential of the invention in the technical support application.Those skilled in the art will appreciate that there are many otherapplications to which the invention may be put.

[0162] Variant Implementations.

[0163] The specific implementation was arrived at after a long series ofdifferent application areas were examined and carefully studied. Thisdocument describes in considerable detail a large number of variantimplementations modify the basic operation of the central implementationfor other market areas or other demands. For example, in certainsettings, the use of low communications bandwidth is important andprivacy is unimportant. A variation for that setting is discussed below.

[0164] Invention Components

[0165] The following discussion describes the key components in what iscurrently regarded as the best mode of implementing the disclosedinvention. In this implementation it is assumed that communications arevia standard Internet techniques, and that the advice provider andadvice consumer are both relying upon standard network connectedcomputers.

[0166] Advice Provider Components

[0167] The following is a listing of component names, followed invarious subsections by a brief discussion of each component:

[0168] advice site

[0169] advisories

[0170] site signature

[0171] site description file

[0172] inspector library files

[0173] supplementary files

[0174] While these general components may be implemented in many ways,it easiest to describe their form and function in the currentlyunderstood best mode, based on the use of Internet communicationsprotocols. Those skilled in the art will appreciate that this is not theonly possible implementation.

[0175] Advice Site

[0176] This is a standard place on the Internet (see FIG. 5), e.g. aURL-addressable directory on a server computer, combined with serversoftware that responds to certain TCP/IP requests for information.

[0177] The site directory may contain a plurality of files, includingadvisories, digests of advisories, and inspector libraries.

[0178] The software associated with the server may perform the functionsof an HTTP server, an FTP server, or a file server, thereby providingaccess to the files stored in the directory using well-knowncommunications protocols. The software associated with the server mayalso perform the functions of a specialized server, implementinginvention-specific communications protocols.

[0179] These protocols may include:

[0180] The ability to serve a directory message describing the contentsof the site directory, including filenames, sizes, and dates;

[0181] The ability to serve an abstract message which describes inabbreviated form the contents of the files in the directory;

[0182] The ability to engage in security handshaking;

[0183] The ability to perform challenges to advice readers to validatetheir authenticity; and

[0184] The ability to meter traffic through the site, and computesummaries of traffic levels.

[0185] The function of advice site server software is to process certainrequests made by an advice reader running on a consumer computer. Theadvice reader may request information about the directory of the site,may ask for abstracts of advisories, and may ask for contents ofindividual advisories. The transaction between advice server and advicereader is described further below.

[0186] Advisories

[0187] The advisories in an advice site are digital files. Advisoriestypically have some of the following components:

[0188] A relevance precondition written in a formal relevance language,which is used to describe attributes of a computer and/or its contentsand/or its environment. For more information on the relevance language,see below.

[0189] A humanly-intelligible component which may summarize the purposeof the message, may describe the author, may explain the precondition inhuman language, and may explain the solution in human language.

[0190] A computer-intelligible component which potentially offers eithersoftware tools to solve the problem or Internet access to software toolssolving the problem. In the currently understood best method for thisimplementation, an advisory is a specially formatted ASCII file builtusing the MIME Internet standards track specification documented in RFC1521 et seq. (see N. Borenstein, N. Freed, MIME (Multipurpose InternetMail Extensions) Part One: Mechanisms for Specifying and Describing theFormat of Internet Message Bodies, Internet Standards Track RFC1521(1993)). This format is currently used for transport of Internetmail; it contains headers documenting the sender of the message and itssubject, and mechanisms for including digital signatures. A MIME file iseasily transported over the Internet and is easily broken into itsconstituent components using parsing algorithms well-known in theInternet community. The advisory file format is described further below(see, also A Guide to Writing Advisories for AdviceNet, UniverseCommunications, Inc., Berkeley, Calif. (1998)).

[0191] Authoring Advisories.

[0192] Site Signature

[0193] Associated with an advice site may be a certain digital signaturemechanism, for example one of the standard signature mechanisms usingpublic-key/private-key pairs. The signature mechanism may be used tosign advisories in a fashion that allows advice readers to verify thatthe advisory was in fact authored by the advice provider.

[0194] Site Description Files

[0195] The site description file (SDF) is a specially structured ASCIItext file authored by the advice provider. It describes the provider'sadvice site and serves as the basis for a consumer to initiate asubscription. This file specifies the site location (URL), the sitename, and site security characteristics, such as whether the site avowsonly advice which has been digitally signed. It also provides variousparameters of the subscription process intended for use by the advicereader (for example, the recommended frequency of synchronization, andthe type of subscription relationship (free/fee)). It may containhumanly interpretable text indicating the purpose of the site.

[0196] The SDF may also contain the public key associated with adviceauthored by the site. This public key is needed to verify signatures onadvice authored by the site.

[0197] The SDF may also be signed by a trusted authority, to establishthe authenticity of this site description file. For example, it may besigned by advisories.com or the Better Advice Bureau: see below.

[0198] The SDF may also contain a ratings block, provided by a trustedratings service, to establish trust in the respect for privacy andsecurity and the usefulness of advice at this site. See, for example,below.

[0199] Inspector Libraries

[0200] Inspector libraries are libraries of special purpose executablecode, which may be accessed by advice readers for the purpose ofextending the capabilities of the relevance language. In effect,inspector libraries provide a mechanism for advice site specificextensions to the relevance language.

[0201] Supplementary Files

[0202] The contents of the advice site discussed so far play importantroles in the ordinary conduct of the invention. In one typicalimplementation, additional files may be present in the advice sitedirectory. In such an implementation, data and applications files whichdo not play a role in the conduct of the invention per se may beincluded in the advice site directory. These files are distributed asare other files at the advice site. This implementation allows thedistribution of installers, uninstallers, shell scripts, JAVA, andVisual Basic programs, i.e. in general, packages of data, applications,and other resources, that may play a supporting role in evaluating andfollowing advice issued at the site. For example, such additional filesmay play a role as databases searched by the advice provider's owninspector libraries or as applications used in implementing the adviceproviders recommended solutions.

[0203] Advice Consumer Components

[0204] The following is a listing of component names from the adviceconsumer perspective, followed in various subsections by a briefdiscussion of each component:

[0205] advice reader

[0206] subscription database

[0207] advice database

[0208] user profile

[0209] inspectors

[0210] solution wizards

[0211] advice reader

[0212] The advice reader is an application running on the consumercomputer. It is responsible for liaison with the advice site and formanaging interactions with the user. The advice reader maintains adirectory of files on the consumer computer. Inside that directory arecontained various files described below which are used/managed in thecourse of advice reader operation.

[0213] The advice reader has a number of jobs, which are listed belowwithout elaboration:

[0214] Manage subscriptions

[0215] Synchronize with advice site

[0216] Gather advisory files

[0217] Unwrap advisory messages

[0218] Manage advice Database

[0219] Manage relevance Evaluation

[0220] Evaluate relevance of Individual advisories

[0221] Invoke inspectors

[0222] Display relevant advisories to User

[0223] The process is described in detail below.

[0224] Subscription Database

[0225] The advice reader maintains a database of subscriptioninformation which allows for the scheduling and conduct of sitesynchronization by the gatherer component. The subscription databasecontains information about the address of the advice site; informationand recommendations provided by the advice sites site description file,such as recommended frequency of synchronization; information needed toverify digital signatures associated with the advice site; andinformation associated with the users experience with the advice site.

[0226] Advice Database

[0227] The advice reader maintains a database of advice that has beenreceived from various advice sites. These may be indexed according tothe site from which they were received according to the systems that theadvice concerns, or according to other principles which would be helpfulto the consumer or to the author.

[0228] The advice reader may organize advice into pools of advice whichshare a common basis for treatment. Examples of this principle include apool of advice specially targeted to the concerns of one user of amulti-user consumer computer, a pool of advice scheduled for manualrelevance evaluation only, and a pool of advice scheduled for nightlyevaluation at a certain time.

[0229] User Profile

[0230] The advice reader maintains a special file or files containingdata which have been obtained from interviews with the user, deducedfrom his actions, or deduced from the properties of the computer or itsenvironment. Such data may describe the computer or its environment, andmay also describe preferences, interests, requirements, capabilities,and possessions and plans of the user, including things unrelated tocomputer operations.

[0231] The file or files may be encrypted. The file or files may beorganized by advice site so that they describe interests, preferences,and so forth to be accessed by relevance queries associated with aspecific site only.

[0232] Inspectors

[0233] Inspector libraries contain executable code which may be invokedby the advice reader as part of the relevance evaluation process.Inspectors can examine properties of the consumer computer, storagedevices, peripherals, environment, or remote affiliated computers. Theseare further described below.

[0234] Solution Wizards

[0235] Solution wizards support the process of automated solution. Theyare applications which can perform stereotyped functions that arefrequently of use for solving problems on computers. These are describedfurther below.

[0236] Transaction Overview

[0237] The following discussion describes the basic model for anInternet-based transaction using the invention.

[0238] Subscription Model

[0239] In the invention, the initiative to begin an interactiontypically comes from the consumer. The consumer becomes aware of theexistence of an advice provider and associated advice site(s), forexample, as part of installing a new hardware or software product on hiscomputer, or as a result of advertising, or sharing experiences withother consumers. The consumer, after potentially informing himself aboutthe kind of advice being offered at that site and its reliability, makesa decision to subscribe. The consumer, interacting with a piece of theadvice reader called the subscription manager 67 (see FIG. 6),configures the advice reader to subscribe to the given advice site, bysupplying it with either the corresponding site description file 68, orwith a pointer to such a file, or with a pointer to the site itselfwhich contains an instance of such a file. The consumer, after studyingthe terms of interaction recommended in the SDF, configures theparameters associated with the subscription, which control howfrequently advice from the site is gathered.

[0240] Advice Gathering Using AEUP

[0241] Periodically, under the terms of the subscription, or manuallyunder user control, the advice reader initiates a site synchronization.A component of the advice reader, referred to as the gatherer, has theduty to synchronize the consumer site image with the current image ofthe advice site. These states can be different if the advice site hasretracted advice or authored new advice since the most recentsynchronization. The gatherer makes sure that there is a one-to-onecorrespondence between advisories at the advice site and advisories inthe consumer machine. The gatherer opens a connection to the directorymessage server at the advice site. After an optional security handshaketo verify the authenticity of the advice reader and server, the gathererqueries the server for a directory message. The gatherer inspects theresponse and checks whether the site directory has changed since theprevious synchronization. If not, there is no need to obtain any filesfrom the advice site, and the session may end. If the directory haschanged, or if this is the first synchronization ever, the gathererinitiates FTP and/or HTTP and/or file server access to the new files.The gatherer also deletes any advisories on the consumer computer whichno longer correspond to advisories on the server, and this terminatesthe synchronization of the consumer site image with the true site image.

[0242] The protocol just described is the AEUP protocol that isdescribed above. The gatherer is allowed, by the advice server, togather all the files at the advice site anonymously or, at any rate, allfiles which have not previously been gathered. The intention is that theadvice stored on the consumer machine consists at any given moment ofall the advisories offered at the advice site at the time of the lastsynchronization, other than those that the user has specificallydeleted. Hence, there is no selective gathering. Rather, gathering isexhaustive, i.e. every piece of advice is gathered. The implications ofthis protocol and alternative protocols are discussed below.

[0243] Unpacking Advisories

[0244] As described below, an advisory file is a potentially complexhierarchical structure, which may contain one or more than one message.The advice reader unpacks all the components of this structure.Components of the structure may be signed using a digital signaturemethod, i.e. at unpacking time those signatures are verified. Afterunpacking, the advisories are entered in a pool of all advice, old andnew, to be evaluated. In one typical implementation, the invention maysuppress entry into the system of unsigned advisories or of advisorieswhose signatures cannot be verified.

[0245] Relevance Evaluation

[0246] As a matter separate from gathering, the pool of all advice to beevaluated may be processed, either continuously, or according to aconsumer-defined schedule, or an immediate user request, or somespecified trigger event (see FIG. 9). The advice reader parses theindividual message and identifies the clauses determining relevance.These clauses are expressions in the formal relevance language which isdescribed below. The advice reader parses the clauses using anexpression tree generator 91 into a tree of elementary subexpressions(see FIG. 10) and then evaluates each subexpression of the tree using anexpression tree evaluator. If evaluation proceeds successfully andresults in a value of True, the message is deemed relevant 93. Adispatch method 94 is then used to consume the advisory which mayinclude a file system inspector that identifies appropriate directoryand file name references 96 in various user volumes 97, 98; a registryinspector 99 that inspects an operating system registry 120; anoperating system inspector 121 that inspects various system elements122; or a hardware device inspector 123 that inspects various systemdevices 124.

[0247] Inspectors

[0248] Evaluation of subexpressions is performed by methods calledinspectors (see FIG. 11) which may perform mathematico-logicalcalculations, execute computational algorithms, return the results ofsystem calls, access the contents of storage devices, and query devicesor remote computers. These methods are called inspectors because afrequent purpose is to inspect the properties of the consumer computer,its configuration, or contents of its storage devices. Inspectors maycome built in to the reader, and may also be plugged in via DLL orsimilar mechanisms. Thus, an object 130, property name 131, and/orstring selector 132 is dispatched to a reader using a method dispatchmodule 134 in accordance with dispatch information contained within amethod dispatch table 133. Various inspectors 135, 136 are provided at auser location, each of which includes an inspector library 137, 139 andassociated methods 138, 140. Inspectors are described in greater detailbelow.

[0249] User Interface

[0250] After relevance has been decided for an item in the advice pool,a relevant item may be entered into a list of items to be displayed.This list may be displayed to the consumer according to typicaluser-interface models. The user-interface may inform the user about theauthor of the advisory, about the date the advisory was acquired, aboutthe date the advisory became relevant, about the subject of theadvisory, and about other attributes of the advisory message. The userinterface may offer the user to display the explanatory content ofindividual advisories. Depending on the advisory, the explanatorycontent may contain simple text explanations, or may contain moreelaborate multimedia explanations. Depending on the advisory, theexplanation may identify the situation which caused the advisory to berelevant, the implications of relevance, the recommended action oractions to take at this point, the anticipated effects of taking thoseactions or of not taking them, or the experiences of other users orother organizations with the proposed actions. The user studies thisexplanatory content, perhaps performing additional research (for examplestudying the trustworthiness of the provider, or the opinions of otherusers).

[0251] Recommended Response

[0252] As part of the display of a relevant advisory, the user istypically offered the possibility of an action in response to thesituation. Possible outcomes include:

[0253] consumer ignores information/proposal. The consumer reviews theadvisory, decides he does not wish to pursue it, ignores the content,and deletes the advisory.

[0254] consumer is notified. The consumer reviews the advisory, or someother document it refers to, and learns something important orinteresting.

[0255] consumer is entertained. The consumer reviews the advisory, orsome other document it refers to, or some multimedia content itcontains, or some multimedia content it refers to, and is exposed to astimulating presentation.

[0256] consumer forwards information to another. This may includefriends, family, colleagues, or associates. Forwarding may involve offline transport or electronic transport, such as e-mail.

[0257] consumer initiates correspondence with provider or other. Thismay include contact by mail, phone, fax, or e-mail. This may alsoinclude participation in an information exchange, including fortechnical support, training, or market survey purposes, as well asparticipation in a sale or other commercial interaction.

[0258] consumer initiates on-line participation in a timely event.

[0259] consumer purchases object by e-commerce. This may include apurchase entered by clicking on a button in the advice reader windowwhich entry to e-commerce mode.

[0260] consumer fills out a form. This may include a form rendered by aWeb browser, or a text file form intended to be returned by e-mail, or aform intended to be filled out and faxed or mailed back.

[0261] consumer initiates off line action in real world. This mayinclude any off line action ranging from actions associated with thecomputer modifying the state of hardware devices, gathering informationin the environment surrounding the computer, or reading someinstructions in a manual before beginning an online process. This actionmay also include purely personal items.

[0262] consumer modifies system setting or data field on computer. Thismay involve the consumer executing a series of manual operations on thecomputer to change settings of some system component or softwareapplication or to modify an entry in a database.

[0263] consumer initiates an Install/Uninstall/Execute solution. Thismay involve the consumer clicking on a button in the advice reader,followed by automatic execution of a sequence ofdownload/install/uninstall/execute steps, or it may require the consumerto access physical media such as floppy disk or CD-ROM to perform aninstall under direct supervision. It may involve automatic execution, orexecution under user control, following instructions indicated for theuser by the advisory.

[0264] consumer invokes Script file for solution. The advisory may offera series of instructions in a high-level system-affecting language, suchas AppleScript, DOS Shell, UNIX Shell, Visual Basic, which the consumeris expected to store as a file and then pass to a standard interpreter(e.g. AppleScript Editor, DOS Command Line Interpreter, UNIX ShellCommand Line Interpreter, or Visual basic Interpreter). This action mayalternatively involve the consumer executing a series of manualoperations on the computer that involve typing in commands one by one ina certain window of a certain application.

[0265] Many concrete outcomes can be grouped among the outcomes in thislist.

[0266] Advisory File Format

[0267] The advisory file format provides a mechanism to encode onesingle advisory or several advisories for transport across computernetworks and other digital transport media, and to offer one or severalvariants of same basic explanatory material. The following discussiondescribes the components of an advisory in general terms and describesthe currently understood best method for implementing advisories usingMIME.

[0268] Components of a Basic Advisory

[0269] The most elementary advisory may have these logical components(see FIG.

[0270]8):

[0271] Wrapper. Components designed to package the information fortransport and subsequent decoding.

[0272] From Line. Component identifying the advice author.

[0273] Subject Line. Component identifying briefly the concern of theadvisory.

[0274] Relevance Clause. Component in the formal relevance languageprecisely specifying the conditions under which the advisory could berelevant.

[0275] Message Body. Component providing explanatory materialpotentially explaining to the user what condition has been foundrelevant, why the user is concerned, and what action is recommended.

[0276] Action Button. Component providing the user the ability to invokean automatic execution of the recommended action.

[0277] Clause Variations

[0278] Elaboration on the basic scheme may also be valuable:

[0279] The advisory may contain an expires-when clause. This is anexpression in the formal relevance language which causes the message toexpire if it evaluates to True.

[0280] The advisory may contain an evaluate-when clause. This is anexpression in the formal relevance language which causes the message tobe evaluated for relevance if it evaluates to True.

[0281] The advisory may contain an requires-inspector-library clause.This may give the name of an inspector library and a URL where it can befound. This indicates that a certain inspector library must be installedfor relevance to be evaluated correctly.

[0282] The advisory may contain a refers-to clause, giving keywordlabeling of systems referenced by the condition associated with theadvisory.

[0283] The advisory may contain a solution-affects clause, givingkeyword labeling of possible effects of the recommended response.

[0284] Other variations may be recognized as useful in the future. Suchvariations are not excluded from the scope of the invention.

[0285] Display Variations

[0286] The message body may occur in at least three forms:

[0287] Text. The explanatory material may be an unconstrained ASCII textdocument. This has no embedded variations in presentation style (e.g. nochanges in font and/or no hypertext references to outside documents).

[0288] HTML. The explanatory material making up the message body may bean HTML document. This is familiar from Web browsers. HTML documents maycontain variations in the presentation of text, may contain tables andvisual formatting features, may contain references to externaldocuments, and may contain references to external graphics files.

[0289] Text/HTML. The explanatory material making up the message bodymay be given in both text and HTML forms. The advice reader has theoption of using whichever form is more appropriate to the user.

[0290] Further variations in message content, including audio and videocontent, are not excluded from the scope of the invention.

[0291] Digital Integrity and Authenticity

[0292] The message body may have digital authentication featuresappended to the message to insure its integrity and authenticity.

[0293] A digital digest may be appended to the message to ensure messageintegrity. At the time that the message is compiled by the author, aspecialized functional of the message body may be computed and appendedto the message. The recipient of the message can verify the integrity ofthe message by computing the same functional and verifying that itproduces the same result as that appended to the message. Known examplesof digital digests include CRC, MD5, and SHA.

[0294] Digital digests are familiar in the computer programmingcommunity under the name hashing. The idea is that certain mathematicaloperations based on modular arithmetic are applied to a numericalrepresentation of a body of text, producing a numerical output rangingin magnitude from a small number to a number requiring some dozens ofdigits to represent, depending upon the details of the digest mechanism.These arithmetic operations typically produce an output which depends onthe original body of text in a discontinuous way which is not easilyinvertible. That is, slightly different messages tend to have verydifferent digests. Also, it may be difficult to find any two messageswith the same digest, and if one of the two messages is previouslyspecified, it is particularly difficult to find another message whichhappens to have the same digest.

[0295] The practical implication is that a transmission or recordingerror which causes the advisory document to be modified in some way fromthe authors original intent does not typically result in a modifieddocument that generates the appropriate digital digest. In this way,modified documents can be identified and suppressed from consideration.

[0296] A digital signature may be appended to the message to ensuremessage authenticity (see C. Pfleeger, Security in Computing, SecondEdition, Prentice-Hall (1996); and PGP 4.0 Users Manual, PGP Pretty GoodPrivacy, Inc. (1997)). This is a refinement of the digital digest idea,rendering the digest secure against malicious tampering.

[0297] Digital signatures generally work as follows: At the time thatthe message is compiled by the author, a digital digest of the messageis calculated. The digest is then encrypted using an encryption schemethat is well known and widely associated with the advice site. Theencrypted digest is considered the advice site's signature on themessage, and is appended to the message itself, labeled as a signature.

[0298] The advice reader, in seeking to verify the signature of thesite, attempts to decrypt the signature using the well-known decryptionalgorithm associated with the advice site. A successful decryptionproduces a digital digest which agrees with the value that the advicereader calculates directly from the message. An unsuccessful decryptionproduces a result that does not agree with the digital digest of thereceived message.

[0299] It is commonly accepted (see C. Pfleeger, Security in Computing,Second Edition, Prentice-Hall (1996); and PGP 4.0 Users Manual, PGPPretty Good Privacy, Inc. (1997)) that this approach, when used inconjunction with certain well-know encryption systems, produces a securedigital document. That is, it is accepted that a malicious agent cannoteasily modify a given valid advisory to produce an impostor advisorywhich produce a successful decryption.

[0300] Indeed, to deceive this system successfully, it is necessary forthe impostor to generate the digital digest of the modified documentcorrectly and then apply the encryption algorithm associated with theadvice site. While the impostor may be assumed to have learned theworkings of the digital digest mechanism, it is assumed that he is notable to encrypt documents as if he were the advice site.

[0301] The fundamental assumption of modern cryptography systems asapplied to public communication is that certain encryption/decryptionalgorithms can have widely known decryption algorithms and keep theencryption algorithms secret. Until this fundamental assumption isdisproved, the digital signature mechanism is widely considered aneffective authentication mechanism.

[0302] MIME

[0303] In the currently understood best method for structuring advicefor Internet transport, an advisory document is packaged as a singleASCII text file which is a valid instance of MIME file (see N.Borenstein, N. Freed, MIME (Multipurpose Internet Mail Extensions) PartOne: Mechanisms for Specifying and Describing the Format of InternetMessage Bodies, Internet Standards Track RFC 1521 (1993)). Actually,only a special subset of the full MIME format is used. Specialextensions to MIME are added to accommodate the invention.

[0304] MIME is an Internet standards track format extending theclassical e-mail Internet standard commonly referred to as RFC 822. TheMIME format is widely used for Internet transport of electronic mail. Ithas four features of particular usefulness in connection withadvisories:

[0305] Header Lines. MIME specifies that a message body may be precededby an extensive message header consisting of a variety of header lines,where individual lines begin with a well known phrase and containaddressing, dating, and related commentary. Some of these lines can beeasily adapted to serve the purposes of the invention. For example, theFrom Line and Subject Line components of an advisory can be implementedby the From: and Subject: header lines that are already part of the MIMEstandard.

[0306] Extensibility. MIME provides a method for creating new messagelines in messages. This includes a method for embedding the new messagelines in messages and a method for registering the new line with theMIME authorities. Key invention constructs relevant-when andexpires-when may therefore easily be added to the MIME language in thatfashion.

[0307] Alternation. MIME provides a method, i.e. Multipart-Alternate,for offering two different versions of the same message, with thedestination picking the appropriate display method. Therefore, theinvention construct of transmitting one or more ways to display the sameinformation may easily be implemented using the MIME standard and itsMultipart-Alternate feature.

[0308] Digesting Mechanism. MIME provides a well-understood mechanism,i.e. Multipart/mixed, for packing several complete MIME messages into asingle file for Internet transport. MIME posits a recursive digeststructure, in which a message can have several related components, andeach component can itself be a MIME file inserted verbatim. Using thisfeature, a MIME file can be used to digest many component advisories,organized in a tree structure reminiscent of the branching structure ofa modern personal computer file system.

[0309] Thus, MIME becomes a tool, not for packaging e-mail, but insteadfor packaging a new kind of document, i.e. the advisory. To avoidconfusion, it should be appreciated that an advisory is unlike e-mailbecause an advisory does not have an intended recipient or list ofrecipients. Rather, it is a broadcast message. An advisory typically hasrelevance and related clauses, and an advisory typically has activecontent. E-mail does not have relevance and related clauses, and doesnot typically have active content. The advisory is part of a new form ofcommunications which can be implemented within the MIME standard. Theadvisory application of MIME addresses a different problem than e-mailby omitting certain MIME clauses which were used for e-mail, and byadding new specialized clauses which are used in the relevancedetermination and advice management process. In a certain sense, therelationship of advisories to e-mail is comparable to the relationshipbetween USENET and e-mail. Both advisories and USENET news systems useMIME as a packaging mechanism. However, both offer means ofcommunications which are distinct from e-mail.

[0310] Although MIME is a convenient method of realizing the form of anadvisory, there is no necessary connection of the invention to MIME.There are many other common formats in the Internet world, such as XML,which may be used for representing advisories. In this disclosure, onlythe currently understood best method for implementing the advice file isdiscussed.

EXAMPLE

[0311] The following is an example of an advisory file:

[0312] Date: Sat Mar 21 1998 17:06:12+0800

[0313] From: Jeremiah Adviser <jeremiah@advisories.com>

[0314] MIME-Version 1.0

[0315] Organization: Universe Communications, Inc.

[0316] Subject: A better version of the advice reader is now availablerelevant-When: version of application “advice.exe”<version “5.0”

[0317] Content-Type: text/html; charset=us-ascii

[0318] <HTML><BODY>

[0319] A better version of the advice reader is available.

[0320] Click to <A HREF=“http://www.advisories.com/win98/advice50.exe”>

[0321] Download </A>the latest version of advice reader.

[0322] </BODY></HTML>

[0323] Here the reader can see the various components of an advisoryembodied as MIME components:

[0324] Wrapper. MIME-Version and Content-Type header lines.

[0325] From Line. From: Jeremiah Adviser . . .

[0326] Subject Line. Subject: A better version of . . .

[0327] Message Body. An HTML fragment, beginning <HTML>and ending</HTML>.

[0328] Action Button. Not present in this advisory. The active componentof the message (downloading) is handled by the HTML HREF link. The usersees the word Download and typically understands that a mouse click onthat word causes the indicated action.

[0329] Ratings Blocks

[0330] In an additional variation, it is possible for an advisory tocontain ratings blocks containing information rating the advisoryaccording to criteria such as privacy, security, and usefulness. Thereexist standard formats for such ratings blocks (see Khare, Rohit,Digital Signature Label Architecture, The World Wide Web Journal, Vol.2, Number 3, pp. 49-64 Oreilly (Summer 1997), http://www.w3.org/DSIG)and these are easily appended to messages with MIME structure. See alsobelow.

[0331] Relevance Language

[0332] Advisories have a format resembling the format of e-mailmessages, with many of the same components in the message/digestheaders. One key extension offered by advisories is the institution of anew clause in the message, i.e. the relevance clause. The relevanceclause is preceded by the keyword phrase relevant-When:. An expressionfrom the relevance language follows the keyword. The followingdiscussion describes the currently understood best method for describingthe state of a consumer computer.

[0333] Descriptive Language

[0334] The purpose of a relevance clause is to examine the state of anindividual computer and determine whether it meets various conditionswhich combine to imply the relevance of a certain advisory.

[0335] In the currently understood best method for implementing theinvention, the language itself, i.e. in the allowable phrases of thelanguage and the underlying semantics of the phrases, provides anintellectual model of the components of the consumer computer, itsperipherals, storage devices, files, and related concepts. This isdistinct from the usual model of computer languages, in which thelanguage itself provides a rather meager picture of the problem it isused to address.

[0336] In common with traditional languages, the relevance languagecontains a few elementary data types, such as Boolean, integer, andstring. Also in common with traditional languages, it is permissible towrite arithmetico-logical expressions such as:

(2346+(−1234)/(1+2))>0

[0337] The meaning of a typical subexpression, e.g. 1+2, is applymethod + to the pair of objects resulting from evaluating the twosubexpressions 1 and 2. The pair of objects in question are objects oftype Integer having values of 1 and 2, respectively. In the currentlyunderstood best method, the relevance language has a full range ofarithmetic, string, and logical operations available, which areexpressed as built in methods set to operate on the built in concretedata types (see FIG. 12).

[0338] Unlike traditional languages, the relevance language contains anabstract data type, World, which may be thought of as the overallenvironment of the personal computer on which the relevance clause isevaluated. This object has properties. These properties yield objects ofvarious types, and these objects may have further properties (see FIG.13).

[0339] World is a data type that, depending on the specificimplementation and on the specific system configuration, may have manyproperties.

[0340] In the technical support application discussed above, theseproperties may include the system folder property, the CPU property, andthe monitor property. Properties of an object are obtained by applyingassessor methods to the object. The assessor method for the systemfolder of data type World returns an object of type system folder. Theassessor method for the CPU property of data type World returns anobject of type CPU. These derived objects, in turn, have properties oftheir own. For example, an object of type CPU may have a collection ofproperties such as speed, manufacturer, model, MMX, and cache. A methodcorresponds to each of these properties which, when applied to theobject of type CPU, returns a result. For sake of discussion, it can beassumed that speed results in an integer, manufacturer results in astring naming the manufacturer, model results also in a string, namingthe model type, and MMX and cache return the more specialized objecttypes MMX, and cache.

[0341] The relevance language implicitly postulates that the set ofinspectable properties of the consumer computer is identical to the setof properties of data type World and the set of properties derivablefrom World by repeated applications of asking for properties of anobject derived from World (see FIG. 14). ObjectWorld gives an idea ofthe richness of the object world derivable in this way in the technicalsupport application.

[0342] Example Relevance Clauses

[0343] The following are examples of relevance clauses as used in atechnical support application:

[0344] Existence of a Certain Application on the Consumer Computer

[0345] relevant-When: exists application “Photoshop”

[0346] The intent of this fragment is that application is a property ofWorld which takes an extra string parameter and returns an object oftype application. exists is a property of any object, which returns theBoolean True if the object exists. If the application named Photoshopcannot be found by the method implementing the application property,then the result is a non-existent object, for which exists returns theBoolean False.

[0347] Comparison of Version Numbers

[0348] relevant-When: version of Control Panel “MacTCP” is version“2.02”

[0349] The intent of this fragment is that Control Panel is a propertyof the World which takes an extra string parameter and returns an objectof type Control Panel. If the Control Panel named MacTCP cannot be foundby the method implementing the Control Panel property, then the resultis a non-existent object, for which version is not an allowed property,and evaluation fails. If the Control Panel named MacTCP is found, thenversion, being an allowable property of Control Panels, leads toinvocation of a method which returns an object of type versioncontaining the version number of that Control Panel, recorded in aparticular format. This result is compared with the result ofsubexpression version “2.02”. This time version refers to a property ofWorld, which takes an extra string parameter and returns an object oftype version. If evaluation succeeds, the result of this comparison isBoolean: either True or False.

[0350] Compare Modification Dates

[0351] relevant-When: modification time of Photoshop PlugIn “PictureEnhancer” is greater than time “10 January 1997 12:34:56+0800”

[0352] The intent of this fragment is that Photoshop Plugin is aproperty of the World which takes an extra string parameter and returnsan object of type Photoshop PlugIn. If the Photoshop PlugIn namedPictureEnhancer cannot be found by the method implementing the PhotoshopPlugin property, then the result is a non-existent object, for whichmodification time is not an allowed property, and evaluation fails. Ifthe Photoshop Plugin named PictureEnhancer is found, then modificationtime, being an allowable property of a Photoshop Plugin, leads toinvocation of a method which returns an object of type time. This resultis compared with the result of subexpression time “10 January 1997”.Here, time refers to a property of World which takes an extra stringparameter and returns an object of type time. If evaluation succeeds,the result of this whole expression is Boolean: either True or False.

[0353] Automatic Parsing and Evaluation

[0354] A key purpose of the relevance language is to enable an adviceprovider to publish advisories which can be accessed by the advicereader, running on a consumer computer, and be automatically read todetermine, without intervention from the consumer, whether the advisoryis relevant to the consumer.

[0355] In the currently understood best-method, the relevance languageis implemented as a context free grammar which can be automaticallyparsed into a tree of subexpressions. The tree of subexpressions can beunderstood as an abstract structure whose nodes are methods and whosebranches are subexpressions.

[0356] This tree is represented using a standard notation in computerscience:

(node(expr-1)(expr-2) . . . (expr-n))

[0357] where node gives the name of the method to be applied, and(expr-k) stands for the k-th subexpression to be furnished to themethod. For example, the expression:

(2346+(−1234)/(1+2))>0

[0358] can be parsed into the expression tree: (> (+ (Integer 2346) (/(Integer −1234) (+ (Integer 1) (Integer 2)) ) ) (Integer 0) ) Theexpression: exists application “Photoshop” can be parsed into: (exists(application “Photoshop”)) The expression version of Control Panel“MacTCP” is version “2.02” parses into: (is (version (Control-Panel“MacTCP”)) (version (string “2.02”)) ) Finally, the expression:modification time of Photoshop Plugin “Picture Enhancer” is greater thantime “10 January 1997” parses into (is-greater-than (modification-time(Photoshop-Plugin “Picture Enhancer”)) (time (string “10 January 1997”)))

[0359] In short, the goal of parsing is to identify a sequence of methodinvocations to be applied. Procedures for parsing context-free grammarsinto expression trees are well-understood (see A. Aho, J. Ullman,Principles of Compiler Design, Addison-Wesley (1977)). A lexer breaksthe input into a series of tokens. In the currently understood bestmethod, these tokens may take of the following forms:

[0360] [String] A string of printable ASCII characters enclosed inquotation marks (”).

[0361] [Integer] A string of decimal digits.

[0362] [Minus] The character −.

[0363] [SumOp] The characters +−.

[0364] [PrdOp] The characters */ and the string mod.

[0365] [RelOp] The character sequences =>>=<=!= and the relationalphrases and or is not.

[0366] [Phrase] A sequence of one or more unquoted words, a word beingan alphanumeric string beginning alphabetically and not containingembedded blanks. Phrases break at reserved phrases.

[0367] Parsing proceeds mechanically according to a precedence tablegiving the productions of a grammar. In the currently understood bestmethod, the productions in the grammar are as follows: <Goal> := <Expr><Expr> := <Expr>or<AndClause>|<AndClause> <AndClause> :=<AndClause>and<Relation>|<Relation> <Relation> :=<SumClause>[Re|Op]<SumClause> | <SumClause> <SumClause> :=<SumClause>[SumOp]<Product> | <SumClause>[Minus]<Product> | <Product><Product> := <Product> [PrdOp]<Unary> | <Unary> <Unary> :=[Minus]<Unary> | [UnyOp]<Unary> | <Cast> <Cast> := <Cast>as[Phrase] |<Reference> <Reference> := [Phrase]of<Reference> |[Phrase][string]<Restrict>of<Reference> |[Phrase][integer]<Restrict>of<Reference> | [Phrase][string]of<Reference> | [Phrase][integer] of<Reference> |[Phrase]<Restrict>of<Reference> | [Phrase][string] | [Phrase][integer] |[Phrase]<Restrict> | [Phrase] | exists<Reference> | number of<Reference> | [string] | [integer] | it | (<Expr>) <Restrict> := whose(<Expr>)

[0368] In this display, word stands for a reserved word in the language,[Phrase] stands for a phrase as defined in the discussion of lexicalanalysis on the previous page.

[0369] A grammar can be used to generate a parser by any of severalmeans (see A. Aho, J. Ullman, Principles of Compiler Design,Addison-Wesley (1977)).

[0370] These may include automatic parser generators, such as YACC,which create a table driven finite state automaton that recognizes thegrammar. The table is created directly from the production forms above,and also by hand generation of recursive descent parsers based onmimicking the productions of the grammar in modules whose naming andinternal structure mimic the structure of the productions of thegrammar.

[0371] All such approaches have the same basic result. New tokens areinput, one-at-a-time, and compared with the current state and also witha table giving allowable type and mandated action on receiving thattoken, if any. The mandated action can be interpreted as specifying theindividual steps in the systematic building up of an expression tree. Atypical action is that associated with the production:

<Relation>:=<SumClause>[RelOp]<SumClause>

[0372] which could be written, in a standard notation, as:

$$=($2$1$2)

[0373] This is interpreted as follows: $$ refers to the result of theproduction, $1, $2, $3 refer to the component subexpression trees, andthe parentheses are notational devices that are used to delimitexpression trees. This action calls for the association of therecognized <Relation>with an expression tree. This results from joiningexpression trees which are associated with the left-subexpression andthe right sub-expression with a root method that compares the twoexpressions. Consider the expression version of Control Panel “MacTCP”is version “2.02”. Consider the state of the parser at the moment thatit attempts to apply the <Relation> production with [Relop]. Theexpression tree already associated with the left subexpression, $1, hasrepresentation (Control-Panel “MacTCP”) and that associated with theright subexpression, $3, has representation (version (string “2.02”)).The expression tree associated to the overall <Relation> expression isthe merger of these two according to the pattern (is $1 $3). Hence, theresulting expression tree is representable as (is (Control-Panel“MacTCP”) (version (string “2.02”))).

[0374] Associated with each production is an action of appropriate formwhich describes how the tree is built. In certain implementations, thetree may only be built up implicitly.

[0375] Parsing can continue normally, if at every step of the parsingthe next available symbol matches an allowable type; or it can fail, ifan unexpected combination occurs. As soon as parsing fails, the piece ofadvice may be declared not relevant.

[0376] In the currently understood best method of implementing theinvention, each valid method is already known to the parser at parsetime. Unlike some other languages, parsing can fail if a clause issyntactically correct but uses phrases that name currently unknownmethods.

[0377] In the currently understood best method of implementing theinvention, each subexpression takes values which are strongly typed andfor which the type is known in advance. Example data types includeinteger, string, and Boolean. Each method is known at parse time to workwith certain combinations of data types of inputs and to give certaindefinite data types as outputs. Attempts to apply methods to forbiddendata types are diagnosed as failure of the parse. If so, the piece ofadvice may be declared not relevant.

[0378] At the successful completion of parsing, an expression tree isbuilt up consisting in essence of a collection of method invocations andassociated arguments and associated data types of those arguments.Evaluation of the expression is the process of performing theappropriate method dispatching in the appropriate order.

[0379] Evaluation can be successful, or it can fail. It can fail, forexample, from excessive use of system resources, unavailability of aresource, excessive delay in obtaining a resource, or for some otherreason. Successful evaluation can yield a Boolean value of True or Falseor some other value. The interpretation of a piece of advice as relevantis equivalent to saying that the evaluation is successful, the value wasBoolean, and is true.

[0380] In particular, if a certain subexpression cannot be interpretedas a valid expression in the language, if the subexpression attempts toapply methods to forbidden data types, or if the subexpression cannotcurrently be evaluated, the whole expression can fail, and the advice isautomatically declared not relevant.

[0381] Extensible Language

[0382] The purpose of the relevance language is to describe preciselythe state of a computer, its contents, attachments, and environment.This state can change as the consumer purchases new software and/orhardware, or as new software/hardware objects are invented. This statecan change as consumer computers are used to represent consumers in newproblem areas, for example, in personal finance, management ofcommunicating devices in the home, or other areas.

[0383] Consequently it is not possible to delimit in advance thecomponents of state that may be of interest to which the inventionprovides access. It is desirable for the relevance language to givefuture authors the ability to extend the relevance language to expressconcepts about system state that have not yet been conceived.

[0384] In one implementation of the invention, the vocabulary of therelevance language may be extended by the authorities and by authors atindividual advice sites.

[0385] In that implementation, the relevance language is extensible bydeveloping dynamically loaded libraries which add new vocabulary andsemantics to the language and/or modify existing vocabulary and methods.These are referred to herein as inspector libraries and may bedownloaded from an advice site and installed on a given consumercomputer, thereby changing the meaning of the relevance language on thatcomputer, and allowing new bodies of advice to be interpreted on thatcomputer.

[0386] These dynamically loaded libraries contain declarations of thenew data types which must be added to the language, of the newproperties associated with the data types, of the data type resultingwhen a specific property is obtained for an object of a specific type,and of methods, i.e. executable code that implements access to theproperties.

[0387] Non-procedural Language

[0388] Unlike many languages used in connection with the operationand/or maintenance of computers, the relevance language does not need tobe procedural. That is, it need not specify how to manipulate thecontents of various fragments of memory. This is the opposite of beingdescriptive. It is not necessary to enable traditional proceduralservices, such as loops, assignments, and conditionals.

[0389] On the contrary, making these services available in an expansivefashion may pose various security and privacy threats, by making it easyfor carelessly written or maliciously written advisories to consumeexcessive resources at evaluation time.

[0390] In the currently understood best method of implementing theinvention, procedural services are not made available in the relevancelanguage. As inspection of the above grammar description shows thelanguage has:

[0391] no named variables

[0392] no assignment statements

[0393] no function calls, or at least no explicit function calls withvariable arguments

[0394] no loops or conditional execution

[0395] These differences in appearance between the relevance languageand other common languages are rooted in the following view:

[0396] Because of concerns about unattended evaluation, the languageshould ideally have no side effects on the computer or environment.

[0397] To inspire consumer confidence, consumers must have be able tosee for themselves that the language has no effects on the computer orenvironment.

[0398] A descriptive language, unlike a procedural one, has theappearance of having no side effects.

[0399] In short, the structure of the language and the visiblelimitations should communicate a message of security to the consumer.

[0400] The following discussion addresses two key differences of therelevance language from procedural languages:

[0401] Function Calls. The relevance language has method dispatcheswhich correspond to function calls in some other languages, but they areof a more tightly constrained form.

[0402] First, there are the unary methods and the binary methods thatoccur in arithmetic and logical operations: +,−,*,/, and, or, =, andsimilar operations. These can be thought of as unary or binary functioncalls, but they are of a very restricted form, implementing wellunderstood methods that typically pose little danger or resource burden.

[0403] Second, there are unnamed properties such as modification time.

[0404] Third, there are named properties such as application Photoshop”.

[0405] The unnamed properties can be thought of as function callsapplied to an object, but very bland ones, because no parameters areinvolved. Typically, a property is computed by extracting a certainvalue from a certain slot of a data structure. They typically poselittle danger or resource burden. The named properties may be thought ofas two-variable function calls. The first variable is the object and thesecond object is the string name-specifier. However, these also are notvery general operations because the string name-specifier, in oneimplementation, may not itself be a computed result. It must instead bestring constant. The types of calculations that can be specified in thisway are tightly constrained. Again, typically a named property iscomputed by extracting a certain value from a certain slot of a datastructure, so it poses little danger or resource burden.

[0406] Loops and Conditional Execution

[0407] The relevance language has no for, while, or if statements, butit does have a limited ability to perform iteration. It does this usinga construct referred to as plural properties. In the relevance languagethere can be both singular and plural properties, e.g. both entry andentries properties, the first referring to a result which must be asingleton and the second referring to a result which may be a plurality.Typically, pluralities are further qualified by the use of the whose ( )clause to restrict to subcollections.

[0408] By the plural-singular dichotomy, certain fine distinctions ofmeaning may be maintained. For example:

[0409] exists application “Photoshop”

[0410] has the meaning that there exists exactly one such application;and

[0411] exists applications “Photoshop” whose(version of it is version“4.0”)

[0412] has the meaning that there exists one or more than oneapplication called “Photoshop”, and among those there exists one withversion 4.0.

[0413] In the second example, an iteration is implicitly performed overthe collection of all applications called Photoshop” on the system inquestion, so the effect of a loop is obtained without using traditionalprocedural programming.

[0414] The restrictions on the expressiveness of the language help makethe language safer from the viewpoint of privacy and security guarantees(see below). Nevertheless, the language is designed to be powerful inthat it is intended to be highly expressive. A few words in thislanguage provide access to answers about the system state which would beimpossible to obtain in traditional procedural languages short ofwriting hundreds of lines of code and invoking many specializedfunctions in system libraries.

[0415] If an apparent need should arise for the kind of services thattraditionally are handled by procedural languages, it may typically besatisfied by extending the relevance language using the inspectorlibrary mechanism mentioned earlier, and described in more detail below.This has two advantages:

[0416] [Efficiency] Including new inspectors by this extensionmechanism, rather than by offering procedural services in the relevancelanguage, leads to more efficient execution. Inspectors typically makeavailable efficient compiled methods of execution, minimizing burden onsystem resources at relevance evaluation time while the relevancelanguage is interpreted, which is typically slower.

[0417] [Security] Including new inspectors by this extension mechanismallows one to correct problematic situations. If a certain complexexpression is used in many places and has bad side effects, then it canbe very hard to correct. If an equivalent piece of code is included asan inspector library, then one can identify the problematic code byusing the relevance language to identify whether that inspector isinstalled on the user computer. This makes it possible to write counteradvisories against advice that depends on inspector libraries.

[0418] Consumer-accessibility

[0419] The relevance language controls the execution of a system on apotentially vast number of computers. It is highly desirable, though notstrictly necessary, for a relevance clause to be something which, inprinciple, a consumer could read and form an approximate understandingof, though few users may choose to do this in most cases.

[0420] In the currently understood best method of implementing theinvention, the syntax of the relevance language resembles the syntax ofplain English, with key roles in the language played by clauses formedfrom articles such as of, as, whose, and verbs such as exists.

[0421] The highly constrained nature of the language fosters consumerunderstanding. The language avoids constructs which assume a computerprogramming background by suppressing concepts such as arrays, loops,and conditional evaluation.

[0422] Inspector Libraries

[0423] Components of Inspector Libraries

[0424] Parsing of a clause in the relevance language results,conceptually, in the generation of a list of method dispatches (see FIG.11), in which certain methods are called in a certain order with certainargument lists. This evaluation is a process of systematically carryingout the sequence of method dispatches in the appropriate order. Methoddispatches are an important aspect the relevance process.

[0425] An inspector library is a collection of methods (see FIG. 15) andassociated interfaces which allows for the installation of methods intothe advice reader. Because of the structure of the parser and theevaluation process, an inspector library may contain some of thefollowing components:

[0426] Declaration of a [Phrase] to be used in the relevance language.

[0427] Association of that [Phrase] to a specific method.

[0428] Declaration of a new data type to be used in the evaluationprocess.

[0429] Declaration of the calling prototype of the method. This includesthe number and the required data types of the arguments to be suppliedto the method.

[0430] Declaration of the result data type of the method.

[0431] Implementation of that method in executable form.

[0432] Declaration of special hooks associating code to be called onevents, such as advice reader initialization, advice reader termination,beginning of advice reader main evaluation loop, and ending of advicereader main evaluation loop.

[0433] Declaration of special hooks associated with creation andmaintenance of special caches associated with the method.

[0434] Implementation of special event methods and cache methods inexecutable form.

[0435] Conceptually, an inspector library can be linked into the advicereader with all the declarations evaluated, resulting in changes to theadvice reader's internal data structures, so that new method invocationsbecome available.

[0436] These declarations affect two fundamental data structures of thesystem. The first is a syntax table giving all allowed phrases and theassociated data types on which they may operate and the associated datatypes that result. This is used at lexical analysis time. The second isa method dispatch table, giving a systematic way to determine theassociated executable method for a given phrase and data types. This isused at evaluation time.

[0437] Object-oriented Structure

[0438] A convenient way to implement the above inspector librarystructure is to rely on the features of a modern object-orientedprogramming language, such as C++. In effect, the built-in features ofsuch a language, i.e. object declarations, polymorphism, and operatoroverloading, are ways of declaring that certain phrases have a certainmeaning when applied to certain data types, and of systematicallyorganizing that information. Other features, such as constructors,copy-constructors, and destructors, are ways of defining certaininitialize time and terminate time code bodies.

[0439] In the currently understood best method, such features of modernobject oriented languages are used to provide the various features ofinspector libraries.

[0440] Extension

[0441] In one implementation, as described above, it is possible toinstall several inspector libraries in an instance of the advice reader.The inspector libraries that are so installed define the set ofrecognized [Phrase]s in the relevance language, the set of allowabledata types at evaluation time, and the set of methods associated withthose data types.

[0442] In short, the relevance language may be dynamically constituted.In one implementation, inspector libraries may be created by adviceproviders and downloaded to the consumer computer as part of the sitesynchronization.

[0443] Such libraries may be managed by the advice reader, for example,by storage in a well known location, such as a subdirectory of theoverall directory managed by the advice reader. The inspector librariesin this directory may be linked into the advice reader at the time theadvice reader is initialized.

[0444] When this linking happens, declaration routines are invoked,installing new [Phrase]s in the lexical analysis table of the relevancelanguage, and associating these [Phrase]s to certain method invocations.The language expands in this way to include new descriptivepossibilities.

[0445] Layered Language Definition

[0446] The relevance language may therefore be open ended, built up inlayer upon layer of extensions. Hence, to understand a completelyinstalled system is to understand the layers which have been installed,and to understand the methods that each layer provides. In a typicalinstallation, these layers are as follows:

[0447] Base Layer. Contains the basic mechanics of clause evaluation: anumber of basic built-in phrases and associated methods. It is expectedthat the base layer is the same on every consumer computer carrying theadvice reader.

[0448] System-Specific Layer. This consists of a layer associated with acertain operating system, giving information about the characteristicsof a certain family of computers and their attached devices andenvironment. For example, such a layer, in one implementation, providesmethods to get the system date and time, the sizes of various files, thecontents of the PRAM, or the names of attached peripheral devices.

[0449] Vendor-Specific Layers. This collection of potentially a largenumber of extensions layers is typically produced by third parties,giving special access to the internals of certain hardware devices andsoftware products. One can think of potential authors ranging a span ofproducts from hardware producers (e.g. of cable modems) to softwareproducers (e.g. of Photoshop and plug-Ins) to service providers (e.g.America On-Line).

[0450] Example: Version Inspector

[0451] The following is an example of an inspector for the versionproperty of data type Application under the Macintosh OS. This inspectordeclares the following:

[0452] A new [Phrase] to be added to the relevance language: version;

[0453] A new data type, version, which has already been referred to inseveral examples above;

[0454] Several properties of this data type which are available underMacintosh OS:

[0455] Major Revision. The leading numeric field of the revision number.

[0456] Minor Revision. The secondary numeric field of the revisionnumber.

[0457] Stage. A String, such as Alpha, Beta.

[0458] Country. A String, such as USA or France.

[0459] String1. A String.

[0460] String2. A String.

[0461] Methods, in the form of executable code, which implement theabove properties by opening the resource fork of the application,extracting the desired information, and converting into the requireddata types.

[0462] A new named property of World, version, which casts a stringproperty specifier, such as the 1.1 in version 1.1, into a version datatype.

[0463] Upon installation, this inspector makes available to the system aseries of data types and properties which may be as depicted in FIG. 14.As an example, to check if the beta version of an application withversion number 0.99 is used, one might write the relevance clause:

[0464] Stage of application “Netscape Navigator” is “Beta”

[0465] and Minor Revision of application “Netscape Navigator” is 99

[0466] and Major Revision of application “Netscape Navigator” is 0

[0467] Special Inspectors

[0468] The language extension mechanism described above has powerfulconsequences, for example, as described in the following:

[0469] OS Inspectors

[0470] A system specific inspector can access the properties of theoperating system and allow advice to be written to verify the existenceand configuration of attached devices and other subsystems.

[0471] The following is an example of a valid fragment written for usewith the Macintosh OS inspector library:

[0472] exists serial device “Modem Port”

[0473] The intent of this fragment is to check if this is the type ofMacintosh having a dedicated modem port, which is to be distinguishedfrom a Modem/Printer Port. The property of World referred to as serialdevice potentially matches several different devices. The qualifierselects from among those the one which has the name “Modem Port.” Ifthere are any such devices, the phrase evaluates to True. If not, thephrase evaluates to False.

[0474] input name of serial device “Modem Port” is “.Aln”

[0475] The intent of this fragment is to check if the modem port isusing the standard serial driver for that port. The specific property ofWorld referred to as serial device “Modem Port” is an object withproperty input name. The fragment checks to see if this is equal to.Aln, its usual value in the Mac OS.

[0476] Examples of other properties and data types available in theMacintosh OS inspector library include:

[0477] Physical RAM. Property of World. Integer-valued: number of bytesof installed RAM memory.

[0478] Logical RAM. Property of World. Integer-valued: number of bytesof installed RAM memory and virtual memory.

[0479] Virtual Memory. Property of World. Boolean-valued: True if thevirtual memory option is enabled.

[0480] PowerPC. Property of World. Boolean-valued: True if the CPU is aPowerPC.

[0481] System version. Property of World. Data type:version. Version ofsystem which is currently installed.

[0482] ROM version. Property of World. Data type: version. Version ofROM which is currently installed.

[0483] These examples make it clear that one can write relevance clauseswhich target machines having, for example, a small amount of memory,outdated ROMs, or old system versions.

[0484] Registry Inspector

[0485] Modern personal computer operating systems, such as Windows 95and Macintosh OS 8, have special databases referred to as registrieswhich record a considerable amount of information about theconfiguration of the system, and the installation of certain pieces ofsoftware. A registry inspector is an inspector library which, wheninstalled in the advice reader, enables the relevance language to referto and evaluate properties of the registry database.

[0486] The following is an example on the Macintosh platform:

[0487] 22=integer value of entry “APPL.interrupt” of entry “bandit” ofentry “Device Tree” of entry “devices” of Registry

[0488] The intent of the fragment is to enter the Macintosh nameregistry, find entry “devices”, look for the entry “Device Tree” withinthat, and descend to the subentry “bandit” and then the subsubentry“APPL.interrupt”. The resulting entry is then converted into an integervalue and compared with code 22.

[0489] The registry may contain a vast amount of information about thecomputer on which it operates. The registry inspector makes all thisinformation accessible to the relevance language.

[0490] Preferences Inspector

[0491] Typical application programs on modern computers, such asNetscape and Microsoft Word, have special databases, referred to aspreferences files, which record a considerable amount of informationabout the configuration of a certain program. A preferences inspector isan inspector library which, when installed in the advice reader, enablesthe relevance language to refer to and evaluate properties of thepreferences file of a specific application.

[0492] The following is an example:

[0493] Suppose that the Web browser application Netscape Navigator has apreferences file, which associates to various content types. A helperapplication knows how to process that content type. For example, ahelper application associated with a graphics file of type JPEG might beJPEGView, and a helper application associated with type x-pn-realaudiomight be RealAudio Player.

[0494] Suppose that an advice provider called RealAudio wants to authoradvisories which target users whose Web browsers are misconfigured, andto provide them with automatic corrections to the configuration.

[0495] Suppose that there is available a Netscape Navigator Preferencesinspector and that, after installation of that inspector in the advicereader, Netscape Navigator Preferences becomes a property of World.

[0496] This provider could then target consumers with RealAudioproducts, but improperly configured Web browsers, by authoring anadvisory with relevance clause: exists application “RealAudio Player4.0” and exists application “Netscape Navigator” and ((helper name ofentry “x-pn-realaudio” of entry “Helper Table” of Netscape NavigatorPreferences) is not “RealAudio Player 4.0” )

[0497] The intent of the fragment is to access the Netscape NavigatorPreferences file, find entry “Helper Table”, look for the entry“x-pn-realaudio” within that, and extract the associated helper name.The resulting entry is a string which is compared with “RealAudio Player4.0.”

[0498] The preferences file of a modern software application contains aconsiderable amount of information about the working of the application,and a preferences inspector makes all this information accessible to therelevance language.

[0499] Database Inspector

[0500] Many consumer computers contain, either explicitly or implicitly,a commercial database which stores information about the consumer.Examples include:

[0501] Databases associated with personal finance programs. Consumerswho use Check Free, Quicken, and similar programs implicitly havedatabases on their machine.

[0502] Databases associated with small office suites. Consumers who arerunning small businesses have customer databases, supplier databases,and accounting databases on their machines.

[0503] A database inspector is an extension to the base relevancelanguage whose purpose is to allow the relevance language to accessfields in a database. An example syntax is as follows:

[0504] numeric field “CURRENT BALANCE” of FoxBase Database“Personal.DBF”<0

[0505] The intent of this fragment is as follows: The advice provider isattempting to reach consumers who use CheckFree. Users of CheckFree havea FoxBase-created database resident on their machine which is identifiedas Personal.DBF. The fragment intends to reach such consumers whosecurrent bank balance, as indicated by the database, is negative. Thesemantics of the evaluation depend on the implementation of the FoxBaseDatabase inspector.

[0506] It may be assumed that this works as follows: A database namedPersonal.DBF is located on the consumer computer's mass storage, isinterpreted as if in FoxBase format, and the numeric field with fieldname CURRENT BALANCE is extracted. The fragment then compares theextracted value to the value 0.

[0507] Note that if the consumer does not have a database of theindicated type, the clause above fails to parse or fails to evaluate.Either way, it is not declared relevant. This reduces the need to worryabout qualifying clauses of this type by lengthy preambles which checkif the software of a certain type is available. Parse time failure couldoccur because the consumer computer does not have the FoxBase Databaseinspector installed. Evaluation time failure could occur because thefile Personal.DBF cannot be located.

[0508] An application of this technology is in the technical supportarena. Suppose that an advice provider publishes software which, as withCheckFree, creates and manages a database, and the provider would liketo help consumers keep the database well updated. The advice providercould author advisories which target common problems in the consumerdatabase, e.g. consumers who forgot to initialize the database with thecorrect balance. Such advisories would call these problems to theattention of consumers who have them, as well as specifying solutions tothe problems.

[0509] User Profile Inspector

[0510] The invention maintains a file or files offering a user profile,consisting of certain identifying phrases and associated values.

[0511] A user profile inspector is an inspector library that can beinstalled in the advice reader and which enables the relevance languageto refer to data stored in the user profile. At a high level ofabstraction, this is the same type of function that is enabled by thedatabase inspectors or registry inspectors, only with a differentdatabase being inspected.

[0512] As an example of how such an inspector might be used, suppose itwas desired to reach users with Zip Codes of the form 947XX. Supposingthat the user profile has a variable referred to as Zip Code, therelevance clause:

[0513] 947=(value of variable “Zip Code” of User Profile as integer)/100

[0514] would provide the needed functionality. The intent of this clauseis as follows: The user profile is inspected, the variable named ZipCode is extracted, it is converted from string to integer, and theresulting integer is divided by 100. The two trailing digits are lost inthe process, leaving an integer with three digits that may be comparedto 947.

[0515] In one implementation, the user profile is a dynamicallyexpanding database, with new variables added as advice providers needthem. A mechanism is provided so that an advice provider can author atemplate file which describes a collection of variables to which theadvice provider plans to refer in advisories and would like the consumerto specify. The template file is placed at the advice site and isautomatically gathered at synchronization time. The template file isused to drive an editing module on the consumer computer which presentsthe user a list of the template variable names and a list of theircurrent values or blanks if they have not previously been defined. Theuser can then fill in the blank fields and edit other fields. In thisway, the variables which the provider wants defined can be brought tothe attention of the user and edited.

[0516] The portion of the user profile associated with the specificadvice site in this way is called the site profile. The advisory withrelevance clause:

[0517] not exists Data file of site Profile

[0518] checks whether the site profile has been initialized for thissite. If not, the advisory should have, as human-interpretable content,a message which indicates that the advice provider would like the userto fill out the user profile variables needed for correct functioning ofadvice associated with that site. It should have as computerinterpretable content an invocation of an editing module which uses thenew template to present the user with choices for editing a new userprofile.

[0519] The advisory with relevance clause:

[0520] Modification Time of Data file of site Profile <Modification Timeof Template file of site Profile

[0521] checks whether the site profile has been updated since the lastnew template file. If not, the advisory should have, as humaninterpretable content, a message which indicates that the adviceprovider would like the user to add some new user profile variablesneeded for the future correct functioning of advice associated with thatsite. It should have as computer interpretable content an invocation ofan editing module which uses the new template and the old profile topresent the user with choices for editing.

[0522] Remote Inspector

[0523] In principle, inspector libraries can also give the relevancelanguage the ability to inspect properties of other communicatingdevices. These include:

[0524] Remote Physical Measurements. Ask other devices for informationwhich those devices can measure, the information possibly to includeposition, temperature, voltage, or status of a process.

[0525] Remote Device Queries. Ask other devices for information aboutthemselves or about their state.

[0526] Remote Computation. Ask other computers for the result of acalculation, for example a calculation specified by a formula, program,or script provided by the inspector.

[0527] Remote Database Queries. Ask other computers with databases toanswer queries concerning contents of those databases.

[0528] Remote relevance Invocation. Pass a relevance clause to anothercomputer and obtain the result, as evaluated by the other computer inthat computer's environment.

[0529] The following is an example of a remote physical measurement.Suppose there is an inspector library which defines a property of theWorld called Internet atomic clock and which has the ability to makequeries to an authoritative timekeeper by Internet protocols that canreturn the result as a relevance language time data type. Suppose thatit also defines a property of the World referred to as system GreenwichTime which gives the Greenwich Mean Time equivalent of the system clock.The following relevance clause targets consumers whose system time isincorrectly set:

[0530] abs((Greenwich Time of Internet Atomic Clock)−System GreenwichTime) >time “10 Seconds”

[0531] The following is an example of a remote device query. Supposethere is an inspector library which defines a property of the Worldcalled network Postscript printer and which has the ability to makequeries to the currently selected printer to determine if it is properlyconfigured. A valid relevance clause is:

[0532] Model of Network Postscript Printer is “LaserJet 5” and

[0533] ROM Version of Network Postscript Printer <version “2.0”

[0534] which targets those consumers with LaserJet 5 printers having oldROMs.

[0535] The following is an example of a remote database inspector.Suppose that the advice provider is a large organization that serves apopulation of advice consumers who are employees, who have small handheld computational devices, and who keep important data on a remotecomputer which has a trust relationship via security handshaking withthese small devices. Suppose that the employees use organizational datawhich is accessible via a Lightweight directory Access Protocol (LDAP)database server accessible over Internet (see W. Yeong, T. Howes, S.Kille, LDAP (Lightweight Directory Access Protocol), Internet StandardsTrack RFC 1777(1995)). The advice provider would like to serve up advicewhich asserts conditions about the employees assigned project which isnot available on the hand held machine, but instead is available by LDAPqueries to the LDAP server. In addition, it asserts conditions about theemployees status which are only available on the hand held machine.

[0536] The provider develops an inspector library which can access dataon the LDAP server, and an inspector library which can access data onthe hand held device. Suppose that the installation of these inspectorsincludes steps to configure the LDAP queries with appropriate passwordsand appropriate usernames. A valid phrase in the relevance language is:

[0537] sponsor of assigned project of Employee LDAP record is “U.S.Government” and (per diem charges of current daily expense of EmployeeHandheld record >35)

[0538] The intent of this fragment is for a certain entry to beextracted from the LDAP database associated with this employee, and thesponsor name compared to “U.S. Government.” If that condition holds, thecurrent travel expense record is queried for a per diem claim.

[0539] This approach provides a way of anonymously and proactivelytargeting employees listed in the organizational database as subject toa per diem rate lower than the expenses they are generating. Thus, theinvention provides a method of checking expense claims during travel,well before submission.

[0540] Important issues arise in the specification of the interfaceswith remote systems. One aspect is that there must be a trustrelationship between the consumer computer requesting the remote serviceand the other device or computer fulfilling the request to allowautomatic evaluation of relevance. The communications must be encryptedin some cases. The degree of resource use must be monitored. Digitalauthentication must be available in some cases. These are all detailsthat can be handled by well-known mechanisms.

[0541] The provision of a process whereby an advice provider can authoradvisories which refer not only to properties of the consumer computerand its environment, but also to properties accessible by query from theconsumer computer, creates a new communications protocol describedbelow, i.e. the personal information access protocol.

[0542] Inspecting Program Log Files

[0543] Many computer software applications and processes maintain a logfile or files the contain a record of the history of execution of theapplication or process. Standard examples of this include transactionlogs kept by mail servers and by login daemons, backup logs kept bybackup software, and error logs kept by user programs.

[0544] A program log inspector is an inspector library that can beinstalled in the advice reader and which enables the relevance languageto refer to data stored in a certain log file or files. At a high levelof abstraction, this is the same type of function that is enabled bydatabase inspectors, registry inspectors, or user profile inspectors,only with a different database being inspected.

[0545] Such an inspector library defines access methods the allow one toobtain key data items from log files.

[0546] As an example of how such an inspector is used, suppose it wasdesired to reach users who run the application GraphMaker, where the logfile generated by Graphmaker contained an error entry with error code93456.

[0547] Suppose that this error code indicates that a certain PostScriptprinter was unable to process the file output by Graphmaker. It isdesirable to communicate to consumers in this situation the fact thatthere is a workaround for this problem. Suppose that Graphmaker has aninspector library available at its advice site which implements a set ofmethods associated with the central data type, which is referred to asGraphMaker error log. Assume that when this inspector library isinstalled in the advice reader, GraphMaker error log is a property ofWorld. Assume that GraphMaker error log has a property referred to asentry, and that the result of such a property is an object of typeGraphMaker error log entry with properties error code and error message,yielding integer and string data types, respectively. Then, there:

[0548] exists entries “Error” of GraphMaker error log whose (Error Codeof it =93456)

[0549] provides the needed functionality. The intent of this clause isas follows: The file associated with the GraphMaker error log is locatedand opened, and a search is made through this file for entries of typeerror as opposed to warning. These entries are examined to determine ifany of them is associated with an error code of the indicated type.

[0550] This enables a technical support organization to develop aprocess for maintenance of complex products in the field where:

[0551] The product is developed so that exceptional conditions areidentified and logged;

[0552] Inspectors for this log are developed and published at an advicesite; and

[0553] Advice is authored which inspects the log to identify and correctproblematic situations.

[0554] In this way a technical support organization can target consumersexperiencing certain program faults.

[0555] Inspecting the Advice System

[0556] The advice reader maintains subscription information, pools ofadvisories and, in one implementation, logs that indicate the history ofrelevance evaluation and of automatic solution operation.

[0557] An advice system inspector is an inspector library that can beinstalled in the advice reader and which enables the relevance languageto refer to data stored and managed by the advice reader itself. At ahigh level of abstraction, this is the same type of function that isenabled by database inspectors, registry inspectors, or user profileinspectors, only with a different database being inspected.

[0558] Such an inspector library defines access methods the allow one toobtain key data items from important components of the system:

[0559] The subscription database: Existence or nonexistence of certainsubscriptions, address of advice sites associated with certainsubscriptions, synchronization schedule associated with certainsubscriptions, digital authentication information associated withcertain subscriptions, other interesting attributes.

[0560] The advice database: Existence or nonexistence of certainadvisory in the advice database. Relevance or irrelevance of certainadvisory in the advice database. Existence or nonexistence of certainauthor in the advice database. Existence or nonexistence of certainsubject in the advice database.

[0561] The advice readers log files: Existence of a subscription to acertain site sometime in the past. Existence or nonexistence of certaindiagnostic conditions, for example, aborted evaluation of certainadvisory due to excessive time to evaluate an advisory. Relevance ofcertain advisory at some time in the past. Acceptance by user of anautomatic solution operator associated with certain advisory at sometime in the past.

[0562] The advice readers configuration: Installation of certaininspectors. Parameters of advice reader operation. User Preferences.

[0563] As an example of how such an inspector is used, suppose that inJanuary 1998 a special piece of patch code was released which modifiedthe application Graphmaker. Suppose that most consumers who installedthis patch learned of it through the advisory process described herein.It is desired to reach users running the application GraphMaker which atsome point in the past, prompted by an advisory, had installed the patchto the Graphmaker application. Suppose this is because an improvedversion of the patch has become available.

[0564] A comprehensive strategy for this situation formulates severaladvisories. The strategy formulates an advisory for users who have acurrent subscription to the advice site. This is prosaic inconstruction, and uses mechanisms described earlier. However, acomprehensive strategy also formulates three other advisories intendedultimately for other users:

[0565] First, the strategy formulates an advisory for users who nolonger subscribe to the advice site, but who may have done so at sometime in the past. The advisory is distributed by various means outsidethe normal subscription mechanism of the invention, for example througha service, e.g. UrgentAdviceNet. This advisory looks to see ifGraphMaker is installed, to see if there is no active subscription tothe GraphMaker advice site, and then at the log file generated by theadvice reader to see if Graphmaker advisory “98/1/08-1” was relevant atsome time in the past and if the user had accepted the proposedsolution. Any consumer for whom this is relevant is notified, first thatthey should resubscribe to the site if possible, and second that whenthey do they get instructions about updating the patched code.

[0566] Second, the strategy formulates an advisory for users who havenever subscribed to the advice site and never received the earlieradvisory. This advisory checks if the affected version of GraphMaker isinstalled, and then sees if the current subscription database shows noactive subscription, and also if the log shows no formerly activesubscription. Any consumer for whom this is relevant is notified, firstthat they should subscribe to the site if possible, and second that whenthey do they get instructions about updating the patched code.

[0567] Third, the strategy formulates a counter-advisory for users whohave somehow obtained a copy of the former advisory by means other thansubscription, and which is somehow still active in the advice database.Such an advisory is not automatically deleted by site synchronizationbecause it is not associated with the originating advice site. Theadvisory identifies the existence in the advice database of the oldadvisory. Any consumer for whom this is relevant is notified, first thatthis active advisory is no longer avowed by its author, second that theconsumer should subscribe to the site if possible, and third that whenthey do they get instructions about updating the patched code.

[0568] Suppose that advice reader has an inspector library installedwhich implements a set of methods associated with three central datatypes, referred to as adviceNet subscription inspector, adviceNet adviceinspector, and adviceNet history inspector.

[0569] With such inspectors one may target consumers who may haveadopted the proposed solution of the advisory in the past, but who donot currently subscribe:

[0570] exists application “GraphMaker” whose(version of it is version“1.01”)

[0571] and not exists entry “GraphMaker” of adviceNet Subscriptioninspector

[0572] and exists entry “relevant” of adviceNet History inspector

[0573] whose (author of it is “GraphMaker” and

[0574] identifier of it is “98/01/08-1” and

[0575] adoption status of it is “Accept”)

[0576] With such inspectors one may also target consumers who have neversubscribed:

[0577] exists application “GraphMaker” whose(version of it is version“1.01”)

[0578] and not exists entry “Subscription” of adviceNet Historyinspector

[0579] whose (name of it is “GraphMaker”)

[0580] With such inspectors one may also target consumers who receivedthe advice by other means than subscription:

[0581] exists application “GraphMaker” whose(version of it is version“1.01”)

[0582] and exists entry “Advisory” of adviceNet advice Database

[0583] whose (author of it is “GraphMaker” and identifier of it is“98/01/08-1”)

[0584] These inspectors enable a technical support organization todevelop a process for maintenance of bodies of advisories and to adaptto the consequences of adoption/non-adoption of previous advisories.

[0585] A second type of example is provided by the case where an adviceprovider RealAudio wants to author an advisory checking whether acertain inspector is installed and is the correct version, for example,because advice depends on this. Assume that there is an inspectorlibrary which, when installed, adds adviceNet configuration as aproperty of World. RealAudio could serve up advice at its site with therelevance clause:

[0586] not exists inspector library “Netscape Preferences” of adviceNetConfiguration

[0587] allowing one to check that an inspector library was notinstalled. The humanly interpretable content of the associated messageis an explanation that for RealAudio advice to work properly, the usershould get the appropriate inspector from the Netscape site. Inaddition, it could serve up advice qualified by:

[0588] version of inspector library “Netscape Preferences” of adviceNet

[0589] Configuration

[0590] is not version “1.0”

[0591] to target users with the wrong version of an inspector library.

[0592] Such an inspector enables a technical support organization tomake sure that the advice reader is correctly configured to use theadvice provided by that organization.

[0593] Variations

[0594] Alternate Transport Mechanisms

[0595] So far, the discussion herein has centered around a singlemechanism for the transport of advisories. In fact, there are manysituations where other means of transport are useful and/or desirable.Some such means of transport include:

[0596] advice by physical transport. An advisory may arrive at theconsumer computer by file copy from a floppy disk, CD-ROM, or similarphysically transportable medium.

[0597] advice by e-mail. An advisory may arrive as part of an e-mailmessage, routed from another consumer, or from an advice provider.

[0598] advice by USENet. An advisory may arrive as part of a newsmessage distributed according to the USENet protocol, posted by anotherconsumer, or by an advice provider.

[0599] advice by proprietary protocol. An advisory may arrive as part ofa message distributed according to a proprietary protocol.

[0600] advice by file transfer. An advisory may be obtained by filetransfer further machine, where said transfer uses an application otherthan the advice reader. For example, a user might direct a Web browserto download an advisory file that is pointed to by a hypertext link. Or,an application might direct the downloading of an advisory, without usercontrol, using FTP or some file sharing protocol.

[0601] There are three different procedures for treating advice that hasarrived by one of these routes:

[0602] Adding to advice database. The advice is added to the existingdatabase of advice being tested continually for relevance.

[0603] Situational evaluation. The advice is evaluated for relevancewhen opened, but not entered into any permanently maintained pool. Whenclosed, the advisory has no interaction with the system. This type ofadvice is part of a manual check, for example, in a once only situation.

[0604] Stockpiling. The advice is stored on the consumer computer'sstorage device for future use. This means that at some future time it isadded to the advice database or at some future time it undergoesone-time evaluation.

[0605] The possibility of situational evaluation, i.e. situationaladvice, bears special notice (see FIG. 16). This can be used to createrather complex digests of advisories which are opened by the consumeronly when special needs or situations arise.

[0606] The following are examples of alternate transport mechanismsapplied in the technical support application area:

[0607] advice before purchase. An advice digest arrives at the consumercomputer as part of the shopping process for a new piece of software orhardware on the consumer computer. This collection may arrive byphysical transport of media or by electronic transfer, for example, theconsumer may obtain the digest from a Web site devoted to shopping. Thedigest, when processed by the advice reader, evaluates the consumershardware situation and informs the consumer about its suitability forvarious possible purchases. The process is typically run only once.

[0608] advice with installation. An advice digest 160 may arrive at theconsumer computer as part of the installation process for a new piece ofsoftware or hardware on the consumer computer. This piece of softwaremay have arrived by physical transport of media 161 or by electronictransfer 162. The new advisories may be added as part of an automaticinitialization process whereby a subscription is automatically initiatedand the advisories are placed in the advice pool as a way of initiatingthe local site image. An optional synchronization of the user locationwith the advice site may occur 163. The user reader opens the advicedigest 164 and evaluates advice relevance 165. Advisories are displayedwith optional solutions 166 and the user reacts to the advisories 167.The system may perform a standard software installation 168 and enter asubscription to a post-install advice site 169 to receive post-installadvisories 170.

[0609] problem diagnosis. An advice digest may arrive at the consumercomputer as part of the installation process for a new piece of softwareor hardware on the consumer computer. However, no use is made of thedigest at installation time. Instead, the digest is copied onto thestorage device of the computer. Later, the user is informed to open thedigest by any of several means for situational use when a certainproblem arises. Upon doing so, the user is notified of variousadvisories which apply to this specific situation andhardware/software/settings configuration. After the episode is over, theadvice is closed, perhaps to be reopened at some later time for possiblereuse.

[0610] Alternate Notification Mechanisms

[0611] Advisories can be presented to the user in other ways thanthrough the usual advice reader interface. For example:

[0612] Via Notify Box in Other Applications. The user may be notified ofthe existence of a relevant advisory while using another application.Notification uses a mechanism appropriate to that application. Forexample, the consumer is engaged in another activity, e.g. viewing avideo, and is notified in an unobtrusive way, e.g. in this case bypicture-in-picture.

[0613] Via Desktop/Screen Saver. The user may be notified of theexistence of a relevant advisory when he is not using an application.Notification uses a mechanism appropriate to the default presentation.For example, the desktop has an animated icon depicting the existence ofrelevant advisories. Another example, a screensaver presents an animatedpresentation whose state indicates status of machine, e.g. subsystemsaffected by advisories.

[0614] Via e-mail. The user may be notified of the existence of arelevant advisory by electronic messaging using e-mail. This includestextual summaries indicating the number and type of relevant advisoriesand the number and type of affected system components.

[0615] Via messaging. The user may be notified of the existence of arelevant advisory by electronic messaging driving other modalities ofinformation transmission. This may include standard means ofcommunication, such as pager, phone, and fax transmission. For example,in an environment where consumer appliances are connected to a computerin the home, the invention inspects properties of the devices and pagesthe consumer with urgent messages. An advisory is written referencingthe temperature in the home, with the effect that if the temperaturewere excessively high or low, an advisory is relevant. Assuming that therelevance notification is set up to use alphanumeric paging, theconsumer is paged to indicate that the temperature in the house was outof normal bounds.

[0616] Frequency of Relevance Evaluation

[0617] As so far described, relevance evaluation is a process carriedout by the advice reader. A typical implementation continually evaluatesall advice in the advice database for relevance, metering total CPUresource usage, and keeping resource consumption measured over intervalsof, e.g. 1 second, below a certain fraction of available CPU time.

[0618] A typical implementation allows user involvement in three ways:

[0619] First, by allowing the user to set parameters controlling thefraction of CPU resource used during continuous evaluation.

[0620] Second, by allowing the user to group advisories into specialpools which are evaluated according to a differing schedules. Forexample, a manual pool is evaluated only under manual evaluation, whilea nightly pool is evaluated only at a certain user specified time in theevening.

[0621] Third, by allowing the user to schedule relevance evaluation foran individual piece of advice manually, overriding all pool membershipparameters.

[0622] There are a variety of important variations on this approach:

[0623] Skipping evaluation. In certain settings, it may be desirable notto evaluate each piece of advice in a pool with each pass through thepool. For example, those pieces of advice which take a very long time toevaluate are periodically skipped, or skipped based on the CPU usage ofother applications running on the consumer computer. A piece of advicewhich is unevaluated retains the relevance status of the previousevaluation.

[0624] Scheduling based on author comments. In one implementation, theauthor of the advisory can specify the scheduling of relevanceevaluation. He includes in the advisory file an Evaluate-When line thatspecifies details of evaluation scheduling. Options may include either aperiodic schedule for relevance evaluation, a condition for relevanceevaluation, or membership in a well known advice pool with a standardevaluation schedule.

[0625] Scheduling based on advice reader analysis. The process ofevaluating relevance may be viewed as analogous to the process ofrunning various processes in a computer operating system. Usingtraditional operating systems scheduling ideas, it is possible toallocate priorities to advisories and to assign lower priorities tocertain processes. A special case of this is the procedure skippingevaluation, discussed above.

[0626] Variations in Relevance Evaluation

[0627] Simulated Conditions. In certain situations (see FIG. 17), it isuseful to the consumer to simulate evaluation of advice in anenvironment other than the one which actually obtains.

[0628] In one implementation of the advice reader, a method is providedto simulate conditions which do not in fact obtain. Such an advicereader has a modification to the method invocation dispatcher of theadvice reader. In this modification, the name of the method and theinvolved data types are compared with a simulation table 172 in a proxylayer 173 before a method dispatch occurs. The simulation table contentsare user editable 171. If there is no match, dispatch occurs asnormally, i.e. an advisory received from an expression tree evaluator174 is dispatched by the method dispatcher 175. If there is a match,dispatch is suspended, and instead the value of the method is obtainedby look-up from the associated cell of the simulation table. The resultin either case is passed by the proxy layer to the system, e.g. to thefile system inspector 176 or registry inspector 177.

[0629] Such an implementation allows the consumer to simulateconditions. The consumer overrides the usual relevance evaluationprocedure by editing the simulation table, and by installing names ofmethods and argument types to be bypassed and the associated values tobe returned.

[0630] In this way it is possible to provide a tool to:

[0631] Pretend the existence of devices which are typically connected,but are currently unreachable;

[0632] Determine whether a certain advisory or family of advisories goesaway (i.e. become irrelevant) if certain modifications to the consumercomputer are made, without actually making the modification;

[0633] Determine if the installation of a product causes certainadvisories to become relevant.

[0634] There are many other applications of this approach.

[0635] User filtering. It has been tacitly assumed that a user typicallywants to see all relevant advisories from all sites. In practice, a usermight be interested in filtering the display of advisories, focusing onitems from a certain site, from a certain pool, focusing on advisorieswhich exhibiting certain keyword labels in the Refers-to orSolution-Affects.

[0636] Promotion of Trust

[0637] The invention provides a powerful tool for connecting adviceconsumers with advice provided by advice authors.

[0638] In certain settings, the invention must be security and privacyaware. For an extensive discussion of security and privacyconsiderations, see below. A typical instance of such a setting is whereinvention is:

[0639] connecting an advice provider and a provider consumer via apublic network, such as the Internet;

[0640] the typical advice consumer is a lay person; and

[0641] the advice provider is a large business or other concern whichneeds to protect and enhance its reputation.

[0642] In such a setting, it is important to take into account thewidely perceived insecurity of public networks, and to offer tools sothat consumers and providers behave wisely.

[0643] The communications process disclosed herein is designed tosupport the development of wise habits on the parts of both adviceconsumers and advice providers. A cornerstone of the process is thatusers should only interact with trusted providers, and to this end, theinvention provides technology supporting the evaluation oftrustworthiness by consumers and maintenance of trustworthy status byproviders.

[0644] Importance of Trust

[0645] In general a trustworthy advice site has several qualitativeattributes.

[0646] Quality. The advice is perceived by consumers as beingwell-intentioned, well-conceived, and well-executed.

[0647] Security. The advice is perceived by consumers as being secure,having no intent to harm, and having both an intent to help and beingcarefully tested and responsibly maintained.

[0648] Privacy. The advice is perceived by consumers as being private,having no intent to snoop or pry, and having both an intent to keepprivate and being carefully designed and responsibly maintained tomaintain that intent.

[0649] Relevance. The advice is perceived by consumers as being tightlytargeted, having no intent to go to wide populations of users as would abroadcast message (this is a practice sometimes called spamming in othermessaging modalities, such as e-mail), and having both an intent toreach narrow groups of consumers with a focused need to know, and beingcarefully designed and responsibly maintained to achieve that intent.

[0650] The invention offers a number of technological tools facilitatingopen communication between consumer and provider which lead to properattributions of trust. The invention, in one implementation, may offermechanisms allowing interested providers to promote consumer trust andconsumers to learn how to discriminate between trustworthy anduntrustworthy providers:

[0651] Disclosure. Advice providers may have the ability to disclose thepotential effects of advice, to describe experiences during testing orin the field.

[0652] Discovery. Advice consumers may have the ability to learn aboutthe potential effects of advice, and about the experiences of otherswith certain advice providers, or with certain advice sites.

[0653] Feedback. Advice consumers may have the ability to comment ontheir experiences with certain pieces of advice.

[0654] Correction. Advice providers may have the ability to retractfaulty advice.

[0655] Certification. Advice providers may have the ability to seekcertification of their advice as safe and effective by an outsideratings service. The advice reader may have the ability to blockadvisories which are not rated in accordance with the consumerspecifications.

[0656] The following is a more detailed discussion of these mechanisms.

[0657] Disclosure Mechanisms

[0658] The invention offers advice providers the ability to describe, inthe humanly Interpretable component of the message, the potentialeffects of advice, about the experiences of the advice provider intesting or from user feedback.

[0659] By using several methods of disclosure, an advice provider cangain consumer trust and visibility.

[0660] In one implementation, a more formal method of documenting andmonitoring the effects of the advice is offered, enabling an adviceprovider to disclose names of potential effects through stereotypedkeywords.

[0661] A central authority, such as Better Advice Bureau, publishes aregistered list of keywords which are used to describe the subsystems ofthe user computer or its environment which may be affected by theproposed solution, or the effects of the proposed solution on personalprivacy. An advice provider, in authoring advice, uses this mechanism todisclose potential effects of a recommended solution operator throughstereotyped keywords in a header line Solution-Affects.

[0662] In one implementation of the advice reader, these keywords aresearchable, and indexable and relevance evaluation is subsidiary to it.

[0663] Consumer ease of use may be bolstered, in one implementation, byallowing various kinds of user side filtering based on these keywords.For example, a user plagued by enormous numbers of advisories wheneverhe detached the CD-ROM drive temporarily could use this feature tosimplify his life. He would declare irrelevant all advisories referringto the CD-ROM drive in their keywords fields, and then afterwards detachthe CD-ROM drive. In this way, even if there were advisories ordinarilytriggered by the non-existence of an attached CD-ROM drive, the userwould not have to see them. For an alternate mechanism, see thediscussion of simulated conditions above.

[0664] Consumer confidence may also be bolstered by allowing such kindsof user-side filtering based on these keywords. For example, supposethat an available keyword reveals consumer Identity to a provider. Byusing this when it is the case, a provider has disclosed the effects ofa message. A consumer who, as a matter of policy does not participate insurveys and similar information gathering advisories could specify thatall advisories which contained this keyword should be declaredirrelevant. In this way, the provider has done his duty to disclose andthe consumer who trusts the provider is rewarded with the ability to seeonly the important messages.

[0665] Discovery Mechanisms

[0666] In a typical implementation, the advice consumer can informhimself of potential impacts of a piece of advice before deciding toapply the recommended solution operator. Some of this may already bedone using existing Internet technology. The consumer can query otherWeb sites and search engines to see if there is any news about a certainadvisory.

[0667] The invention extends this mechanism through a special Internetserver referred to as the Better Advice Bureau. The Better Advice Bureauserves as a central clearinghouse for information about the effects andside effects of advice. The user can at any time query the Better AdviceBureau, asking for any recorded comments about a specific advisory or aspecific site.

[0668] Feedback Mechanisms

[0669] In a typical implementation, the advice consumer can providefeedback to the advice provider and to other consumers describing userexperience with a piece of advice. Some of this may already be doneusing existing Internet technology. The consumer can use e-mail andUSENet newsgroups to notify others about experience with a certainadvisory.

[0670] In one implementation, the invention extends this mechanismthrough a special Internet server referred to as the Better AdviceBureau. The Better Advice Bureau serves as a central clearinghouse forinformation about the effects and side effects of advice. The user canat any time submit to the Better Advice Bureau Web site (describedbelow), recording comments about the specific advisory or the specificsite. The Better Advice Bureau can relay those comments to the adviceprovider, who can respond to them. In one implementation, the BetterAdvice Bureau protects the identity of the consumer by stripping offidentifiers before mailing or posting. The Better Advice Bureau compilesall the information submitted by consumers, and provider responses, intoa database available for queries over the network.

[0671] In one implementation, the advice reader offers a direct accessto this feature by including an easy way to create a messageautomatically about a certain advisory in the standard advisory display,and address it to the authorities at Better Advice Bureau. For example,a button is placed as part of the advice browser window. By clicking onthat button, a mailer window opens up with the sending and recipientaddresses, and with the advisory number and subject already supplied.The user is then always one click away from being able to record acommentary about certain advice.

[0672] Correction Mechanisms

[0673] In a typical implementation, the advice provider can disownadvice that it has posted in error. This is done by removing theadvisory from the provider's advice site. Over time, as subscribingadvice readers synchronize with the provider's site, the advisoryautomatically disappears from those consumer computers.

[0674] In certain settings, this is not a sufficiently proactivesolution. For example, certain advisories may be distributed by meansother than the usual the advice reader/advice site model. To the extentthat certain consumers may have such advisories in their advice pool,but without associating them with a subscription, they need to be dealtwith by a counter advisory. This is an advisory which acts as adviceagainst another piece of advice. Using an advice inspector library asdescribed above, it is possible to write an advisory that is relevantwhen the consumer computer has a certain advisory in its main advicepool. Such an advisory is typically as follows:

[0675] The advisory 40139 which we released on May 31, 1998 has beenrecalled, and we recommend that you delete it from your advice systemimmediately.

[0676] If you agree to this, click the <Dolt>button below. (signed)<Authors Name>.

[0677] Such counter advice is distributed by submitting it toUrgentAdviceNet, a special advice site to which all advice readerssubscribe. The piece of advice is rapidly diffused to users.

[0678] In summary, the invention offers the following process fordealing with faulty advice:

[0679] Removing the bad advisory from the providers advice site.

[0680] Writing a counter advisory and submitting it to UrgentAdviceNet.

[0681] Writing a better advisory.

[0682] Placing the better advisory at the providers advice site.

[0683] Certification Mechanisms

[0684] One technique to further consumer acceptance of the use ofadvisories and the associated solutions is to remove some of the burdenfor determining the trustworthiness of messages from the individualconsumer. A method to do this is for a ratings service at a central siteto offer a service to advice providers that certifies advice as being inaccord with certain publicly known privacy and security standards. Underexisting Web protocols (see Khare, Rohit, Digital Signature LabelArchitecture, The World Wide Web Journal, Vol. 2, Number 3, pp. 49-64,Oreilly (Summer 1997) http://www.w3.org/DSIG) there is a method for theestablishment of URL ratings services, via a message block that canreliably certify that a certain ratings agency asserts that certaininformation resources have certain properties. The credibility of suchassertions, i.e. that the advice is actually being certified by theservice and not by an impostor, is based on deployment of standardauthentication and encryption devices. Applying this technology, aratings service can be established at a central site, e.g. Better AdviceBureau.org as described below, to certify that certain advice operatesin a fashion generally accepted as appropriate for the advertised task,is used in a manner to protect individual identity, and has generallybenign effects. Advice authors seeking certification of thetrustworthiness of their advice submit those advisories to thecertification authority, which studies the messages and, at its option,agree to certifies some of those messages. Here certification meansthat, according to a well known standard, a special ratings block isappended to the message indicating that the message is asserted by theauthority to have certain attributes.

[0685] In one embodiment of the invention, the consumer is offered theoption of making integral use of one or more ratings services. Thisfunctions as follows:

[0686] A ratings service uses a well known format, such as PICS (seeKhare, Rohit, Digital Signature Label Architecture, The World Wide WebJournal, Vol. 2, Number 3, pp. 49-64, Oreilly (Summer 1997)http://www.w3.org/DSIG), for describing it ratings of resources such asadvice sites and individual advisories.

[0687] The ratings service publishes a list of descriptive keywords usedin the ratings system, such as BAB-Privacy-Standards-Compliant or doesnot affect file system.

[0688] The ratings service labels individual advisories using its owndefined labeling system, inserting these labels into the advisories asratings blocks according to a standard labeling format, such as PICS.

[0689] The ratings service labels individual advice sites by attachinglabels to site description files using its own defined labeling system,inserting these labels into the site description files as ratings blocksaccording to a standard labeling format, such as PICS.

[0690] The ratings blocks are interpreted and authenticated by anestablished cryptographic signature mechanism associated with theservice, and part of the ratings labeling standard.

[0691] The user interface of the advice reader is extended to contain anew component, i.e. the certification manager. This component allows theuser to permit advisories to be evaluated for relevance only when theyhave been credibly certified by a trusted privacy ratings service ashaving properties with which the user is comfortable. For example, theuser blocks advisories which are not certified by Better Advice Bureauas BAB-Privacy-Standards-Compliant, thereby obtaining a measure ofconfidence that advisories used in his system do not violate his privacyby revealing information to the outside world.

[0692] The certification manager has two defined roles:

[0693] Eliciting User Desires. The certification manager plays a role ininitializing the certification process. It makes available to the user alist of potential ratings services among which the user can select. Whena service is selected, the certification manager obtains from theratings service URL a list of the defined ratings keywords, and allowsthe user to design a filter based on specifying that certain keywords orcombinations of keywords must be present (or absent) for a message to betrusted.

[0694] Enforcing Policy. The certification manager also has theresponsibility to parse and validate the ratings associated withindividual messages, and block the evaluation of uncertified messages,or of certified messages not exhibiting the users desired attributes.

[0695] Privileged Sites

[0696] In one implementation, the advice reader is preconfigured withhardwired subscriptions to three privileged advice sites. These built-insubscriptions play a central role in ensuring the security of theinvention; together they form an immune system.

[0697] advisories.com

[0698] advisories.com is a Web and FTP site operated by the producer ofthe advice reader software. This allows users from all over the world toobtain information and updates about the system, about the advicereader, and any updates to the software or the invention's communicationprotocols.

[0699] It is also a trusted site for the distribution of subscriptioninformation. Digitally authenticated site description files can be foundhere for many of the major advice sites on the Internet. These sitedescription files are signed with a digital signature mechanism that isautomatically intelligible to every copy of the advice reader. Thisserves an important security function. As described in the section onsecurity below, it is very important that there be a well known andtrusted location that is the source for accurate information aboutstarting a new subscription. By getting site description files fromadvisories.com, a user has a degree of confidence that he is gettingaccurate subscription information and is not vulnerable to varioussecurity problems.

[0700] It is also a site for the distribution of authoring information,in particular, coordination of certain authoring conventions. Twospecific conventions have already been mentioned:

[0701] Keyword Coordination. This concerns the way in which advisoriesare used by advice authors to disclose descriptions of potential effectsof advice on the consumers computer or possessions or environment. Acurrent listing of adopted keywords may be made available atadvisories.com site.

[0702] Coordination of User Profile Variables. This concerns a mechanismby which new variables may be added to the user profile by differentadvice providers. A current listing of adopted variables their formatsand promulgators may be made available at advisories.com site.

[0703] BetterAdviceBureau.org

[0704] Better Advice Bureau.org is both a Web site and an advice site onthe Internet. It is a site dedicated to the maintenance of thecommunications protocol as a civilized means of communication.

[0705] The Better Advice Bureau.org Web site describes the principles ofsystem operation, describes why the system is useful, and why itprotects individual security and privacy. It describes known risks andrecommended procedures for interacting with the system. It serves as aclearing house for user complaints about the operation of advisories,and as a place that consumers may come to for research about theexperiences associated with an advisory that they are contemplating toapply.

[0706] The Better Advice Bureau.org advice site is an advice site towhich all advice readers subscribe. It issues what is referred to asmeta-advice or counter-advice, in the form of advisories against badadvisories, or against bad sites. By this device, consumers become awareof situations within the advice process which are dangerous from thestandpoint of security or privacy, and they can then take correctivemeasures.

[0707] It is also a site for the distribution of ratings information, inparticular, publication of certain rating conventions, as describedabove. There are commonly accepted methods for rating resources on theWeb according to criteria provided by a ratings service (see Khare,Rohit, Digital Signature Label Architecture, The World Wide Web Journal,Vol. 2, Number 3, pp. 49-64, Oreilly (Summer 1997)http://www.w3.org/DSIG). The Better Advice Bureau, in oneimplementation, functions as a certifier of the privacy and security andusefulness of individual advisories. In this role, the Better AdviceBureau rates individual advisories by including in them a certainspecial ratings block, according to a well known ratings format, such asPICS. The Better Advice Bureau also publishes at its Web site theinformation needed to interpret such ratings blocks, including:

[0708] A list of descriptive keywords used in the ratings system, suchas BAB-Privacy-Standards-Compliant or Does Not Affect file System.

[0709] Public key information associated with the certification process.

[0710] UrgentAdvice.net

[0711] UrgentAdviceNet serves to distribute advisories rapidly to alladvisory consumers. It is used sparingly, to deal with urgent situationsacutely affecting significant numbers of users. In one implementation,it has a high priority in synchronization, being synchronized every timeany synchronization takes place.

[0712] Other Application Areas

[0713] In this document so far, the invention has been described inconnection with the technical support application. The following is apartial list of other applications to which the invention may be put.

[0714] Consolidator.com

[0715] An Air Ticket consolidator purchases a block of 50 seats on aflight from New York to London for August 20. The consolidator wants toresell those seats to travelers. The consolidator maintains arelationship with a variety of travel agents.

[0716] The consolidator uses the invention to market its product moreefficiently. The consolidator functions as advice provider, and authorsan advisory whose relevance line asserts the existence of a consumer inthe travel agency customer database who has reserved a ticket to go tofrom New York to London on that date, or near that date. The adviceprovider places the advisory at his advice site.

[0717] Advice consumers, in this case the various travel agenciesworking with the ticket consolidator, have their representativecomputers set to subscribe to the consolidators advice site. They alsoinstall a special inspector in their computer which searches the travelagency customer database for customers with certain travel plans.Advisories flow to their computers and are automatically inspected forrelevance. Here relevance means a potential traveler who has plans totravel. The travel agent offers the traveler a ticket at the reducedprice provided by the consolidator. The consolidator then makes a saleand the travel agent a commission. All participants win.

[0718] CheapFlights.com

[0719] A large airline frequently has last minute opportunities fortravel at bargain rates. The airline wants to match the tickets toconsumers with a continuing interest in last minute travel to certaincities. This airline can use the invention to market its product moreefficiently. The airline functions as advice provider and authorsadvisories whose relevance line asserts the existence, in the userprofile, of an expressed desire to travel to a certain city. The adviceprovider places the advisory at his advice site.

[0720] Advice consumers, in this case the potential travelers, havetheir representative computers set to subscribe to the airlines advicesite. They add expressions of special interest to their user profilesindicating cities they are willing to fly to on short notice. Advisoriesflow to their computers and are automatically inspected for relevance.Here, relevance means a potential opportunity for a flight on shortnotice.

[0721] Commodity.com

[0722] The system above described works in many other commercial areas,e.g. one could build as a result, such sites as CheapConcerts.com andCheapHotelSuites.com working on similar principles.

[0723] Extending this point, it is possible to run a new type ofcommodity market using the invention. In one model (see FIG. 18), thereis a central site referred to as Commodity.com that functions as themarket maker. This is attractive in a setting currently handled byclassified ads, where there are many individual offerors seeking acentral marketplace. The process is as follows:

[0724] 3. Offeror submits to Commodity.com an advisory offering objectfor sale 180.

[0725] 3. Commodity.com advice site staff edits and posts advisories181, 182.

[0726] 3. Users subscribe to Commodity.com 184.

[0727] 4. Subscribers input information about interests to user profile189, 190.

[0728] 4. Relevant advisories concern objects meeting their interests.The process proceeds are described above, where the advice readergathers advisories from Comodity.com 183. Relevance evaluation isperformed 185 in accordance with a user profile 190, as inspected by auser profile inspector 186. The user view the relevant commodities 187and acts on the information contained therein 188.

[0729] BalanceTransfer.com

[0730] In the world of financial services, there are many companies thatattempt to market specific services to customers directly. These includecredit cards with specially low rates on cash advances, particularlycredit balance transfers from competing financial instruments, andmortgage refinancing offers.

[0731] The attempt to reach consumers is expensive and often difficult.Certain consumers, who might otherwise be interested in the financialbenefits of the service, do not allow telephone or mail contacts. Otherconsumers do not disclose sensitive information over the phone, which istypically required to participate.

[0732] The following is an example of a financial services offer throughuse of the invention. This embodiment of the invention is described as acentralized system, although it easily could be a decentralized system.

[0733] Offeror submits advisory to BalanceTransfer.com offering balancetransfer to those with sufficient balances and incomes.

[0734] 4. BalanceTransfer.com advice site staff edits advisories andposts.

[0735] 4. User subscribes to BalanceTransfer.com.

[0736] 2. User fills out information about credit card balance, existinginterest rate on balance, and income for User Profile.

[0737] Advice reader uses remote connection to verify balance,preserving privacy.

[0738] Relevant offers are those which benefit user. The advisory, ifwell written, uses the income data to test if the applicant is approved.Hence, relevant advisories have credit preapproved.

[0739] There are many variations on this kind of advice. Homerefinancing operates in substantially the same way. The advisory iswritten mentioning variables associated with the principal, currentinterest and term of an existing loan. An advisory is relevant if itprovides a set of better terms than an existing loan.

[0740] There is no reason why this service must be globally centralized.In a typical variation, individual mortgage brokers offer their ownadvice sites.

[0741] BadPills.com

[0742] The invention can be used for a variety of consumer productwarnings recalls, and safety advisories. The following is one example.

[0743] BadPills.com is a site where information is available about drugproducts and their interactions. The following describes is how the siteoperates to notify pharmacies about potentially damaging druginteractions in their customer base.

[0744] The FDA and other organizations, e.g. pharmaceuticalmanufacturers and consumer organizations, submit information aboutinteractions and side effects of medications. Each advisory has thefollowing form:

[0745] The relevance clause asserts the existence in the pharmacydatabase of customers with active prescriptions for drugs with a knownpotentially damaging interaction.

[0746] The human readable content tells about the interaction, tells thepharmacist that he has such an interaction in his client base, and urgesthe pharmacist to correct the situation.

[0747] Advice site collects submissions, edits and posts.

[0748] Pharmacy subscribes to the site. As part of subscriptioninitiation, the pharmacy must install a standard pharmacy customerdatabase inspector on its computer. This inspector can check to see ifany patients in the database have a certain prescription.

[0749] Pharmacy computer gathers advisories routinely.

[0750] Relevance evaluation generates queries to pharmacy customerdatabase inspector.

[0751] Database inspector processes pharmacy database.

[0752] Relevant messages are provided for dangerous drug combinations.

[0753] There are many variations on this embodiment of the invention. Asimilar service for physicians is made available through a physicianpatient database inspector for those physicians who keep track ofpatient subscriptions on their office computers. A similar service forpatients is made available through an individual health record databaseinspector for those Individuals who enter their own subscriptions in theuser profile. One way to simplify this is to have an informationexchange program, allowing a user to remotely query the pharmacydatabase for information about himself.

[0754] Group Anonymous Messaging

[0755] Suppose there is a group G of individuals who wish to have ananonymous communication. with a provider P. The individuals in G arewidely distributed and do not know each other. There is a way to useinvention to set up a site for two-way anonymous communication of thiskind.

[0756] Such communications are made widely available and are used bymany persons. For the anonymity of the participants, it is importantthat the system be used by many different persons from many differentgroups.

[0757] The site is an anonymous posting advice site where any e-mailsent to a certain address has its identity stripped and is posted at theadvice site. Such an advice site operates completely automatically. Thissite may be referred to as SecretFriends.org.

[0758] This site may be used in conjunction with private-public keycryptosystems. Secure off-line refers to a system where an agent of Garranges with P for a conversation. The agent delivers to P a public-keywhich is created for G for the purpose of conducting this discussion.This key is not actually public. It is a secret known only to G and toP. It is only referred to as a public key because it is the key which iscommonly made public in standard applications of public-private keysystems. The key is only delivered to P. Similarly, the agent returns aspecially created public key from P to G.

[0759] G and P exchange messages by the following process:

[0760] Subscribing to SecretFriends.org.

[0761] Authoring messages which are relevant only to those holding thedecryption key they have released.

[0762] Using anonymous remailers or other means to post toSecretFriends.org the encrypted messages.

[0763] This approach provides anonymous communications as follows: Aparticipant's advice reader synchronizes with SecretFriends.org.Potentially, a great number of advisories, actually encrypted messages,are obtained. The only messages that are displayed by the advice readerare those that are actually decryptable using the indicated key. Theothers are all jettisoned. The relevant advisory is then decrypted andread.

[0764] This approach provides anonymity under the AEUP protocol because,assuming many different people are using SecretFriends.com, there are agreat number of messages being placed there, and only a tiny fractionend up being of interest to a given reader. Because of the structure ofAEUP, no one watching the process at the advice site can tell whichmessages turned out to be relevant to which user.

[0765] Distribution of Sensitive Product Information

[0766] A variant on the group anonymous messaging embodiment, in aspecific setting, is provided as an information service for consumers ofproducts who do not want it known that they use the indicated product.For example, users of antipsychotic medication or those undergoingcancer treatment.

[0767] Users of the sensitive product are given a numerical code withthe purchase of the product which serves as the (secret) public key. Theusers then subscribe to a certain advice site, arranged in advance,which is, for example, SecretFriends.org, or an industrywide consortiumsite, for example Druginfo.org. The users indicate in their subscriptionthe (secret) public key. The advice reader periodically synchronizeswith the site, and brings in advisories, some of which may concern theproduct. The others do not concern the product. Only the advisoriesassociated with the specific medication pass the digital signature testand become relevant.

[0768] Security Issues

[0769] When the invention disclosed herein is implemented as describedabove and deployed in the technical support application, it may beoperating in a security and privacy critical setting. The implementedsystem is then typically interacting automatically with the Internet,and obtaining and using resources from remote computers without directhuman oversight. These resources remain resident on the consumercomputer, typically over an extended period of time, being evaluatedperiodically for relevance. When relevant advisories are identified, theadvice reader displays to the human consumer the explanatory content ofthe relevant advisory. This explanatory content may propose to theconsumer actions which may have effects on the computer, on attacheddevices, or elsewhere. If the consumer gives approval, these actionstypically are then carried out automatically.

[0770] In short, the advice reader introduces into the consumer computerdocuments that are processed automatically and that after processing maypropose to the user potentially permanent modifications to the computeror its environment. The consensus opinion of networking professionals(see Anonymous (1997) Maximum Security, Sams.net Publishing,Indianapolis; Oaks, S. (1998), Java Security, Oreilly, Sebastopol,Calif.; and Baker, R. H. (1995) Network Security, McGraw-Hill, New York)is that unsupervised interaction with the Internet poses serious risks.In fact the invention, in its standard mode of operation, does notexpose the advice consumer or advice provider to risks greater than thebaseline risks involved in typical usage of e-mail, browsers, andrelated Internet tools. Those modes of Internet interaction arecurrently considered acceptable risks. The invention, in a typical modeof operation, offers lower risk.

[0771] Preliminary Comments

[0772] Two fundamental points are of interest.

[0773] Trusted sites. The concept of trust is discussed above. Usersshould only subscribe to advice sites that are known to them to providetrustworthy advice. In fact, consumers typically configure their advicereader to subscribe mainly to advice from large concerns whichmanufacture goods and services of interest to the consumer such as, forexample, a computer manufacturer, a software publisher, or the providerof Internet service. Subscription to substantial organizations of thistype is a reasonably secure practice. Such organizations have aninterest in providing trustworthy advice so that they maintain rapportwith their consumers. It is anticipated that very few risks are posed toadvice consumers who subscribe to advice authored by such concerns.

[0774] Better Advice Bureau. The Better Advice Bureau.org, which isdescribed above, is a fundamental tool for ensuring the security ofinvention users. All invention users subscribe to this site. This sitecompiles counter advice, informing users about dangerous sites and aboutbad advice which is circulating. The Better Advice Bureau functions insome respects as an immune system for the invention, allowing thecorrection of dangerous situations. UrgentAdviceNet is another site towhich all users subscribe. It provides a special mechanism fordelivering very urgent counter advice to the consumer population.

[0775] Absence of High Profile Risk

[0776] The following discussion of security considers some of the morewell known risks of Internet interaction and then explains why thesewell known risks actually do not arise under the invention when used ina typical implementation.

[0777] Inventory of High Profile Risks

[0778] Internet operations have in the past suffered a number of activethreats that can be symbolized by three figures who have captured thepopular imagination:

[0779] Break-ins: Kevin Mitnick. Over a period of years Mitnick used theInternet systematically to break into computers worldwide, and hemanaged deliberately to cause some to crash or to lose data permanently.While it is supposed that Mitnick was some sort of evil genius the truthis that sites on the Internet give instructions on how to break intoPentagon computers. A Pentagon led experiment in 1997 showed that usingpublicly available information one could, in fact, access classified DODcomputers and cause permanent damage to files.

[0780] Attacks. The Internet currently makes software tools availablefor free which allow their users to attack other peoples computers overthe Internet, causing those computers to crash. The basic strategy is toconnect to various TCP/IP port servers on the intended victim computerand flood it with requests for service. (Anonymous, Maximum Security,Sams.Net 1997)

[0781] Worms: Robert Morris, Jr. In a well-known 1988 episode, Morrisreleased a worm which spread rapidly across the Internet, installingitself in many machines, and while in execution on those machines,spread itself to other machines. In fact, Morris was attempting no morethan a prank. The rapid and pervasive spread of the worm surprised him,as did the enormous amount of time required to eradicate the worm andregain full capabilities of the affected computers. The powerfullydisruptive nature of the worm was caused by its ability to spreadautomatically, and run automatically on whatever machine it reached.This case dramatizes the risks that can arise through the automaticspreading of executable code across the Internet. (Pfleeger, Security incomputing, Prentice Hall 1996)

[0782] Absence of Consumer Exposure to High-profile Risk

[0783] The advice reader does not expose the consumer to additional riskfrom these high profile sources beyond the baseline risk he suffers now.

[0784] The advice reader is not vulnerable to break-in because it doesnot offer any kind of interactive shell offering log-in access, as theterm break-in requires.

[0785] The advice reader does not expose the consumer computer to anyextra risk of attack beyond the risk the consumer already faces due toInternet connectivity.

[0786] The advice reader adds no risk because it does not make availableany perpetually open TCP/IP port which can be flooded with requests.There is nothing the outside world can do to try to talk to or initiatean interaction with the advice reader.

[0787] The advice reader does not expose the network to any risks ofworms. In a typical configuration, the system does not offer anymechanism by which anything can spread from advice reader to advicereader.

[0788] Server Exposure

[0789] Consider the vulnerability of the invention server to activethreats. A server using the invention, as with any Internet-basedserver, exists for the purpose of offering services to the outsideworld. It is visible on the Internet and open for business, typicallyaround the clock.

[0790] There is no risk of break-in, because there is no interactiveshell offering log-in access, as the term break-in implies. However, theserver can be flooded with requests as with any Internet server. Thereare well known techniques to combat such request floods, andprofessional Web site operators know about them. The server side usersof the invention are professionals who are well equipped to evaluate andreact to this type of standard threat.

[0791] The invention's server does not expose the server to any risks ofworms. In a typical configuration, the system does not offer anymechanism by which anything can spread from advice reader to adviceserver, or by which anything other than an extremely narrow range offunctions can be performed by the server.

[0792] Protective Influence

[0793] There is a certain sense in which the invention actually can helpprotect against worms, break-ins, and attacks. The advice deliverymechanism allows network security personnel to create advisories warningthe consumer when the consumer is behaving in a way that leaves the dooropen to criminal disruption. The advice delivery mechanism also allowsnetwork security personnel to author advisories which diagnose whether auser is currently being attacked, or has been recently attacked. In thisway, the invention functions as an immune system, allowing the rapidspread of corrective advice.

[0794] Spoofing Risks

[0795] In effect, the invention interaction is never completelyunsupervised. The advice reader only interacts with advice sites thathave been subscribed to by the user. The user is therefore, in hischoice of subscriptions, exerting a kind of permanent high levelsupervision. If the user subscribes only to sites offered byorganizations with a strong incentive to provide trustworthy advice, heis protected. An individual making harmful advice does not legally havea way to force the introduction of that advice into any given advicereader.

[0796] There is a very important category of active threat which is notwidely known, i.e. attack by spoofing. In this category falls spoofingof Internet locations, i.e. the user thinks he is communicating with acertain trusted site, but actually is communicating with an impostorsite. Another kind of spoofing is the use of mole programs which appearto be standard applications but which actually are not, and can violateprivacy and security in other ways. (Anonymous, Maximum Security,Sams.Net 1997)

[0797] DNS Spoofing

[0798] In this scenario, an impostor creates a near clone of a popularand trusted site, such as the site of MicroComp. However, the impostorsite also contains harmful advice.

[0799] DNS spoofing provides a way for the impostor site to appear tocertain users on the network as if it were actually the popular andtrusted site of MicroComp. The only way this could happen under currentnetwork protocols is for the impostor to interfere with the DNS lookupprocess of certain consumers, and misdirect certain consumer advicerequests aimed for MicroComp.

[0800] DNS spoofing operates as follows: The impostor must have systemlevel access to a machine on the Internet which is physically located ina position to intercept some of the domain name resolution requestsintended for a certain Domain Name Server (DNS). The impostor programsthe IP routing logic to inspect the intercepted requests looking forthose which refer to MicroComp and, when such a request is found, toreturn an incorrect TCP/IP address, the returned address referring tohis fake advice site. All advice readers situated downstream from theimpostor are in this way misdirected to the fake advice site wheneverthey try to go to the MicroComp advice site. The fake site appears justlike a real site, but distributes harmful advice under the pretense ofbeing a trusted provider. In short, by perpetrating DNS fraud, there isa way for an attacker to introduce damaging advice directly into one ormany computers.

[0801] This sort of activity constitutes criminal fraud under currentfederal regulations. This type of fraud is reportedly rare (seeAnonymous (1997) Maximum Security, Sams.net Publishing, Indianapolis. Inaddition, a perpetrator able to carry off this type of fraud might findsystems using the invention to be less attractive than other targets.For example, DNS spoofing of large electronic commerce sites such asbookstores and computer software warehouses is more attractive to theperpetrator, in the sense of offering a more rewarding payoff if thespoof is successful. Indeed, the perpetrator could offer a Web sitepretending to be the Web site of a certain merchant, offering up Webpages with the same general visual appearance as Web pages from thecorrect site. The fake Web site contains forms which the user fills outto execute the transaction. In reality, those forms are used to captureinformation about credit card numbers or other sensitive financial data.This seems a more direct way for a perpetrator to benefit from a DNSspoofing scheme.

[0802] This sort of activity affects only a subset of the users of alarge public network such as the Internet. For example, assuming that anindividual consumer enjoys a secure connection to a DNS server, andassuming also that the information on the DNS is maintained securely,DNS spoofing is not a material threat for that particular consumer. Inmost moderately large corporate environments, DNS services are providedwithin the corporate intranet. Assuming that the impostor is outside thecorporation, then for advice consumers within the corporation, thisspoofing threat is stymied by the standard security devices forintranets, i.e. firewalls. Certain noncorporate advice consumers enjoyInternet access through Internet service providers offering DNS serverslocated on the Internet in close physical proximity to their modembanks. Assuming that the impostor is not inside the physical domain ofthe Internet service provider's offices, consumers who use such DNSservices may also be secure against DNS spoofing.

[0803] In effect, spoofing is only a threat for advice readers relyingon insecure connections to their DNS. In future network protocols, DNSconnections may be digitally authenticated, and the spoofing threat isstymied in such settings as well. Until that time, the invention has away to stymie this threat under the current regime using digitalauthentication of advice itself. Digital authentication of advice isalso of interest to those consumers with secure DNS connections becauseadvice may be distributed, in some implementations, by insecure meanssuch as e-mail or sneakernet. It gives the user additional confidence inthe advice he is receiving.

[0804] In a typical implementation of invention, the term digitalauthentication refers to the use of existing digital signaturemechanisms based on so called public-key/private-key pairs (see PGP 4.0Users Manual, PGP Pretty Good Privacy, Inc. (1997)). This mechanism isdeveloping into a well understood, mature, and reliable standard. Otherforms of digital authentication can be used with equal validity.

[0805] The following describes how the public-private key pair mechanismis used to authenticate advice. The advice provider, e.g. MicroComp,acquires a public-key/private-key pair, of which the private key is asecret known only to the provider. The provider takes steps, describedbelow, to publicize the correct public key. The provider, knowing bothkeys of the pair, attaches to each advisory a signature block which issuccessfully interpreted by an advice reader which knows the correctpublic key. The ability to interpret the block is considered by theadvice reader proof that the author knew both keys, which is consideredproof that the author is in fact MicroComp. In a typical implementation,a user interface component informs the user that a given piece of adviceis signed by MicroComp. The precise meaning of this is that thesignature block is successfully interpreted by using the known publickey.

[0806] The invention's mechanism for protection from the DNS spoofingthreat involves actions by both the consumer and the provider. Theprovider authors a site description file, containing a listing of theinformation related to the subscription, including the site's locationand the site's digital signature public key. The provider publishes thesite description file, for example in physical media such as a disk orCD-ROM, as part of the distribution of a software product offered byMicroComp. In this way, many consumers obtain copies of the sitedescription file by secure means. A consumer initializing a subscriptionto MicroComp presents to the advice reader's subscription manager thesite description file for MicroComp. The provider, whenever authoring anadvisory, attaches a digital signature block. The advice reader,whenever obtaining a piece of advice, checks that the digital signatureis successfully interpreted using the public key known to the reader tocorrespond to MicroComp. Unless the advisory passes this test, theadvice reader refuses to evaluate the advice for relevance. The readermay also notify the user that there is unsigned advice coming from asite whose site description file claims that the site provides onlysigned advice. The reader also offers to inform Better Advice Bureau ofthis fact.

[0807] To see why this approach protects against DNS spoofing, it isimportant to understand a basic feature of the public-key/private-keysystem. It is commonly accepted that an impostor faces a very difficulttime trying to fake the digital signature of MicroComp.Com. Thisconclusion rests on the assumption that the impostor must make asuccessful fake signature using only the publicly available informationassociated with the encryption scheme; i.e. that the impostor does nothave access directly to MicroComp.Com's private key. It iscomputationally an extremely difficult task for an impostor to fake adigital signature correctly from publicly available data (see C.Pfleeger, Security in Computing, Second Edition, Prentice-Hall(1996);and PGP 4.0 Users Manual, PGP Pretty Good Privacy, Inc. (1997)). It isan equivalent computational task to the task of factoring an integerwith hundreds or thousands of digits into its prime factors. Usingnetworks of many thousands of computer workstations over periods of manymonths, it has been possible to factor individual numbers with about150-200 digits. However, this has been achieved only by a kind of vastscientific collaborative enterprise. It is unlikely that an impostor hasaccess to the required resources for mounting an effort that wouldsucceed on integers of the lengths commonly used in signaturealgorithms. Moreover, there is an easy remedy, i.e. double the number ofdigits of the keys, putting the factorization task beyond reach of anycurrently conceivable collaborative effort based on currentlyconceivable computational resources.

[0808] In short, an impostor is highly unlikely to be able to authoradvice with a digital signature which is intelligible using the correctMicroComp public key. Unless the impostor can do this, the advice readerrefuses to evaluate the advice for relevance, and so the impostorsadvice poses no substantial threat.

[0809] Key Spoofing

[0810] An apparent hole in the digital authentication system is thepossibility of key spoofing. In this scenario, the consumer's advicereader has somehow accepted an incorrect public key for MicroComp, i.e.a key which is not the correct key for MicroComp, but is instead thepublic key of a public-key/private-key pair owned by the impostor. Ifthis happens, then the advice reader can be deceived because itrecognizes the impostor's advice as valid. However, the invention isdesigned to prevent this scenario from occurring.

[0811] For key spoofing to occur, the consumer's subscription must beinitiated using a site description file that is not obtained throughsecure channels, such as the original software installation fromphysical media. The impostor must author fake site description files anddistribute these on the Internet.

[0812] A typical implementation of invention cannot be fooled by keyspoofing. There are three mechanisms for this, any combination of whichmay be effective:

[0813] Certification of site description files. In one implementation,site description files may include a digital signature by a centralauthority, the Better Advice Bureau, testifying that the sitedescription file purporting to be authored by MicroComp is, in fact, soauthored. The digital signature of Better Advice Bureau is hard wiredinto the advice reader, thereby avoiding the possibility of spoofing theBetter Advice Bureau certification.

[0814] Spoof-Proof Key Verification. A typical implementation of thesubscription manager performs key verification prior to recording asubscription. It contains hard wired information enabling it to make adirect TCP/IP connection to a hard wired IP address of a keyauthentication server. Such a server verifies that a given organizationspublic key is as it is said to be. Because the contact address of theserver is hard wired into the program, access to the key server cannotbe DNS spoofed.

[0815] Counter-advice. If a certain site is successfully spoofed, it maysubmit to Better Advice Bureau.org an advisory which goes out to alladvice readers because Better Advice Bureau.org is a built-insubscription. The advisory asserts the value of the correct public keyassociated with the site. Those users with incorrect public keys arenotified with the relevant advisory, which explains the risks involved.If the issue is particularly urgent, the site UrgentAdviceNet isemployed.

[0816] In summary, if the advice reader and its subscriptions areappropriately configured, the advice consumer is protected from spoofingwhen the advice provider digitally signs his advisories.

[0817] Reduction of Spoofing Threats

[0818] DNS Spoofing, while a significant threat to Internet security, isnot more of a threat to the invention than to other components of theInternet, especially e-commerce. The Better Advice Bureau.org andUrgentAdviceNet are important devices to help suppress spoofing ofadvice.

[0819] Better Advice Bureau.org and UrgentAdviceNet are importantdevices to help suppress spoofing of all Internet activities. By the useof this combination, the Internets susceptibility to spoofing may bereduced, and the attractiveness of spoofing in other settings, outsideof invention are reduced.

[0820] Advice Reader Moles

[0821] Another potential hole in the invention's security system is thepossibility that a copy of the executable binary of a legitimate advicereader is acquired by an attacker, and then is systematically altered tointroduce various new behaviors. The resultant illegitimate reader isthen redistributed on the Internet, where it masquerades as a legitimatecopy of the advice reader, and is downloaded and used by unsuspectingconsumers. Nothing can stop the creation of such illegitimate readers.Nothing can stop illegitimate versions of a software tool fromdisplaying very damaging behavior. This is well understood by thecommunity of Internet users worldwide. Anyone who downloads softwareover the Internet from sites which are not authentic providers oftrusted software exposes himself to the same risk, whether the softwareis a word processor, a spreadsheet, a Web browser, or the advice reader.

[0822] However, of concern is the possibility of illegitimate molereaders whose goal is not to cause damage but to compromise the securityand privacy of the user. Such mole readers contain subtle featuresescaping detection by casual observation but allowing for subtle effectson the user's environment or for the gathering and forwarding ofimportant information about the user. Again, the invention is no morevulnerable to this kind of modification than any other piece ofsoftware. However, the typical implementation of the invention containstwo mechanisms which can identify the existence of mole software andhelp correct the situation.

[0823] Server-Challenge. This is implemented as part of the inventionserver-reader interaction protocol. A typical implementation of theserver begins its transaction with an advice reader through ahandshaking session, in which the server challenges the reader to provethat it is a valid version of an advice reader. In a typicalimplementation, the advice reader is written to create certain datablocks with known properties dynamically in memory at known locationoffsets from the beginning of the program. The method by which the datawas created and the purpose of the creation are guarded secrets. Theserver selects random blocks of this data and asks the reader for thecorrect digital digest associated with such a block. If the program isaltered, it is difficult for the executable code to answer the challengecorrectly. If the server receives an unsatisfactory answer, the serverthen transmits advice to the reader which is automatically relevant,stating that the user's advice reader appears illegitimate. The advicereader may also refuse to interact with servers that do not pass adigital authentication test.

[0824] Advice-Challenge. The invention, at Better Advice Bureau.org,offers advice whose intent is to verify that a valid configuration ofthe invention is installed. The advice, which may change daily, assertsthat certain blocks of the data in the CPU memory while the advicereader is running have certain digital digests. The blocks are chosenrandomly by the Better Advice Bureau.org authority, or according todesign, when a certain well known mole is to be diagnosed from aspecific motif in the binary data at a specific location.

[0825] In summary, invention diagnoses moles and notifies users aboutthem.

[0826] Reduction of Mole Threats

[0827] Moles, while a potential threat to Internet security and privacy,are not more of a threat to the invention than to other components ofthe Internet, especially e-commerce. Better Advice Bureau.org andUrgentAdviceNet are important devices to help suppress spoofing. Thesame remark applies to moles. Better Advice Bureau.org andUrgentAdviceNet are important devices to help suppress mole applicationsuniformly. By the use of these devices, the Internet's susceptibility tomole activities may be reduced, and the attractiveness of moleactivities in other settings, outside of invention is reduced.

[0828] Irreducible Core Risks

[0829] A threat is caused by defective advice offered in good faith byusually trustworthy authors. Advice authors have reputation incentiveswhich tend to make them want to provide good advice. Advice providers inone core application, e.g. technical support, are part of sophisticatedorganizations which have the ability to do things in a disciplined way.They understand that advice should be tested for safety andeffectiveness and be released in a deliberate, staged manner. Because ofthis, it is likely that very few pieces of advice in the technicalsupport applications area are defective. Nevertheless, there areoccasional problems with advice authored by typically trustworthyproviders.

[0830] The risks posed by advice are of two kinds:

[0831] First, there are the risks posed by advice gathering andevaluation.

[0832] Second, there are risks posed by the solution process, i.e. bythe users response to a relevant advisory which offers the user asolution to a problem. This second type of risk is by far the moreserious one. When the user agrees to a solution, he is allowing powerfulactions with potentially permanent consequences. The advice reader isnot able to provide any kind of protection against the effects ofapplying flawed or malicious solutions. Instead, the burden of securitymust fall on the user, who should always limit subscriptions to wellknown, trusted sites, and should always carefully check the explanationand the authenticity of authorship before accepting a solution proposedby an advisory. In its typical configuration, invention does notautomatically apply solution operators, precisely because of the needfor user supervision.

[0833] As for the first kind of risk, that from gathering andevaluation, the invention is specially designed to limit risk.

[0834] It is true that the invention is typically used in a mode ofautomatic unattended operation. In this mode, advisories are gatheredfrom external advice sites without user intervention and areautomatically evaluated for relevance without user intervention. Asmentioned earlier, the consensus of Internet experts is that automaticunattended operation over the Internet poses serious risks.

[0835] However, the invention does not download arbitrary resources, nordoes it evaluate arbitrary executable code. Its design imposesconstraints on what information can flow into the computerautomatically, and on what effects automatic evaluation can have. Theseconstraints are specifically imposed to avoid the known risks ofunattended operation.

[0836] In its typical configuration, the invention does notautomatically apply solution operators, even when performing automaticunattended operation. In that typical configuration, the effects ofautomatic unattended operation on the system are not direct effects,i.e. the advice reader does not enable modify access to a specific pieceof the system environment. The effects are instead indirect, i.e. sideeffects of consuming too many resources during the downloading andevaluation of advice. The side effects to be concerned with are of threetypes:

[0837] (a) Advice gathering might monopolize all network bandwidth.

[0838] (b) Advice gathering might fill up the local storage device.

[0839] (c) Relevance evaluation might consume all CPU cycles.

[0840] Problems (a) and (b) are solved by resource rationing. Theinformation that can flow into the computer consists of ASCII textfiles. By imposing resource quotas at download time, the system protectsagainst the possibility that overly many network resources are used andprotects against the possibility that overly big files are downloadedinto the machine, exhausting the capacity of the processor or storagedevice. Problem (c) is also partly solved by resource rationing. Bymetering CPU usage and imposing resource quotas, the invention canaddress the problem.

[0841] Security Support in the Invention

[0842] The invention is designed to support security habits in severalways.

[0843] Language Structure

[0844] The relevance language is an example of mobile code. Such code iswritten by an author on one computer for interpretation on anothercomputer.

[0845] Recently, there has been considerable interest in the developmentof safe languages for mobile coding (see S. Oaks, Java Security,Oreilly(1998); and N. Borenstein, Email with a mind of its own: TheSafe-TCL Language for Enabled mail,http://minsky.med.Virginia.edu:80/sdm7g/Projects/Python/safe-tcl/). Javaand Safe-TCL are examples of so called safe languages, i.e. they areconsidered to provide a degree of safety that traditional languages suchas C and C++ cannot offer.

[0846] The relevance language is a language for mobile coding. Thelanguage offers a level of security protection in excess of the currentnorm of the Internet business community. Relevance Languageinterpretation is inherently safer than safe languages for mobile code,such as Java and TCL. Java, TCL, and related languages are procedurallanguages. They contain control features such as loops, recursion, andbranching statements which, if abused, can consume large fractions ofsystem CPU resources. They offer authors storage allocation facilitieswhich, if abused, can potentially consume large fractions of systemmemory resources. Remote unattended operation of code from theselanguages obtained over the Internet can in fact be dangerous, despitethe labeling as safe. In fact, these mobile code languages are typicallyonly used in attended operation. For example, mobile Java code istypically used in Web browsers, with a human watching the screen as thecode runs. It is implicitly understood that the human is supervising theexecution of the process.

[0847] The relevance language is a descriptive language rather than aprocedural language. It describes a state of the computer and itsenvironment. Relevance evaluation is a process of determining whetherthis state holds or not. This description of the state uses a languagethat does not exhibit traditional control structures, such as loops, nordoes it have traditional storage allocation facilities.

[0848] In fact, the relevance language is so tightly constrained that itis not Turing-complete. It does not suffer from the famous Turinghalting problem, which is a typical property of procedural languages.The Turing halting problem is to decide whether a given computer programever halts or not. Most procedural languages are undecidable. Theycontain programs, perhaps even simple ones, for which it can never beknown in advance whether the program must always halt. Java and TCLprograms can be undecidable. In stark contrast, statements expressiblein the relevance language are decidable, i.e. they halt.

[0849] This is an additional level of security that goes well beyond thesecurity guarantees of mobile code languages, such as Java and TCL.

[0850] Human Intelligibility

[0851] An additional security feature of the invention is the humanintelligibility of the relevance language. The relevance language has anappearance which is reminiscent of ordinary English. A consumer whoreads English can form an approximate sense of what a given piece ofadvice is doing by inspecting the plain text of the advisory. In thisway, consumers are brought into the process of understanding theadvisories sent to them. While it is true that untrustworthy adviceproviders, by writing opaque relevance clauses, may still be able todisguise their intentions, the more important point is that trustworthyadvice providers are able to make their intentions clear to consumers,and thereby gain and cultivate trust.

[0852] Disclosure and Labeling

[0853] The invention offers, in one implementation, a mechanism toencourage advice providers to label their advisories clearly forintended effects and thereby provide the public an accurateunderstanding of the risks associated with a given solution operators.

[0854] In this implementation, the Better Advice Bureau defines andmaintains a list of special labels which indicate the effects of acertain solution operator, for example, the subsystems affected, theextent to which effects are reversible, and the availability of furtherdocumentation explaining the proposed change. The advice provider usesthis labeling system to describe the effects of the advisories publishedby the provider. The advice reader uses this labeling mechanism as partof its user interface during the solution proposal process. When aconsumer is contemplating applying a solution operator, part of the userinterface indicates for the consumer the types of side effects which mayresult, according to the labeling which the provider has supplied.

[0855] Both consumers and providers, under the guidance of a centralclassification, come to have a common way to understand and discuss thepotential effects of a system modification. The Better Advice Bureauissues counter advisories against advisories which inaccurately labelthe effects of their advisories. The advice reader uses distinctivevisual identifiers to call attention to advice with extreme effects andto call attention to advice with no labeled effects. The consumer mayrefuse to approve proposed solution operators which are unlabelled, orto subscribe to sites which author unlabelled operators.

[0856] Security Summary

[0857] There are several illegal activities that threaten the securityof the consumer. However, in every instance, the system has beendesigned with an effective means of defense. The invention does notexpose the user to levels of risk in excess of those risks alreadyexperienced through the use of e-mail and Web browsing. In fact, therisks from invention are far lower than the risks of those standardactivities.

[0858] There is also the possibility that otherwise trustworthy adviceauthors release damaging advice. The system is designed to contain andcorrect such situations. The extent of damage due to honest mistakes iscontained because advice has access to only a limited complement ofsystem resources, e.g. disk storage and CPU time, and the use of theseresources is metered and rationed in a typical implementation. Thestructure of advice files and the associated relevance language isrelatively transparent to consumers, which helps them play a role infostering their own security. Finally, through the advisory process,through Better Advice Bureau and UrgentAdviceNet, the invention containsmechanisms to correct security problems automatically as they arise.

[0859] Privacy Issues

[0860] The advice reader accesses a great deal of information about theconsumer's computer, about the contents of the files on the consumer'scomputer, and about the interactions of that computer with devices inthe immediate environment. To the extent that the consumer storesinformation about his financial, personal, or medical affairs on thecomputer, typical implementations of the advice reader are able toaccess that information, for example bank balances and prescription druginformation. To the extent that the consumer computer has access tonetwork devices which form part of the consumer's home or workenvironment, the advice reader is able to access information about thatenvironment, for example whether certain devices are present in theenvironment, whether they are operating, and what their conditions ofoperation are. Enabling the invention to access this information isbeneficial to the consumer, allowing helpful advice to be written whichcan identify problematic situations and call them to the attention ofthe consumer.

[0861] Much of the information that invention has access to ispotentially sensitive, and most consumers would not knowingly permitsuch data to be divulged to strangers. Any system which can access suchsensitive information must also protect the information. As explainedbelow, the advice reader acts to preserve the privacy of the consumer.

[0862] Existing Internet Privacy Standards

[0863] The invention is designed to protect user privacy, offering alevel of protection far in excess of the current norm of the Internetbusiness community.

[0864] Internet mediated activities, such as Web browsing and on-linecommerce, can result in the disclosure to Web servers of informationabout the browsing consumer's identity, computer configuration, and alsocertain items about consumer shopping or browsing interests. There is nosingle accepted standard of privacy, and industry groups have formed forthe purpose of gathering information about consumers from their Webinteractions and sharing among themselves information about theconsumers. Consumer oriented groups such as EPIC (Electronic Privacyinformation Center) have formed in response, and there are currentlypolitical battles over the consumer's right to electronic privacy.

[0865] The invention offers a method which meets or exceeds the level ofinformation privacy desired by consumer groups, while providing the finegrained targeting of messages to recipients desired by industry groups.

[0866] The standard that the invention offers is understood byconsidering a classification of privacy respecting/threateningbehaviors. The ethical standards of advice providers are classified intofour categories, definitions of which are provided below.

[0867] (Ea) Completely Ethical

[0868] (Eb) Merely Ethical

[0869] (Ec) Merely Legal

[0870] (Ed) Criminal

[0871] Completely ethical behavior of an information provider is definedas full respect of consumer privacy and of the intended purpose of theinvention communications protocol. A completely ethical provider would .. .

[0872] never seek to perform covert identification or surveillance of aconsumer community. In particular, it would:

[0873] make no efforts to infer from server activity the identity orattributes of any consumer,

[0874] make no efforts to infer from network activity the attributes ofany consumer, and

[0875] make no efforts to use the Internet as a pure broadcastadvertising medium, creating messages which make unsolicited contactwith all or a very large number of consumers passively receivingmessages.

[0876] fully disclose to consumers the existence and purpose of datagathering efforts;

[0877] make no efforts to use information so received in ways unrelatedto the disclosed purpose of the information gathering effort;

[0878] make no efforts to use information gathered from such aquestionnaire to correlate with future server or network activity.

[0879] Completely ethical behavior is a standard much higher than thatobeyed by many actors in the current Internet business community. TheInternet business community at the moment contains a wide range ofattitudes and behaviors towards consumer privacy. There are manyinstances of behavior that can be classified as merely ethical, ormerely legal.

[0880] Merely ethical means that the behavior of inferring user identityor attributes from Internet activity, while providing some sort ofnotice that privacy compromises are taking place, respects theprovider-consumer relationship by not using the information to initiateunwanted contacts with consumers and not sharing the information withother businesses. In effect, merely ethical behavior restricts the useof information gathering to internal research and planning purposes, inmuch the same way that ethical companies currently use informationgathered from product registration cards.

[0881] Merely legal means that the behavior of inferring user identityor attributes from Internet activity, provides only minimal notice thatsome sort of privacy compromise is taking place, and then subsequentlymakes maximum exploitation of the gathered information under currentlaws, which includes systematically sharing the information with otherbusinesses and initiating unwanted contacts with consumers. The standardof many Internet based information gathering efforts is at precisely thelevel of merely legal. Companies which are collecting information aboutthe consumer rely on the Web browser to notify the user that an insecureprocess is taking place. They do not make any separate notice of theirown, explaining what information is being gathered or how it is used.

[0882] Privacy Protection

[0883] The invention does not allow unsolicited interactions with theoutside world. In routine operation, the invention has interactions onlywith the advice servers to the user has subscribed. Assuming thatsecurity problems, such as spoofing and moles are not an issue, the riskof compromising privacy is therefore focused on the interaction betweenconsumer and trusted advice provider. As described below, theinvention's communications protocol divides the advisory communicationsprocess into the following stages:

[0884] (ACP-a) Subscription. The consumer anonymously initiates asubscription.

[0885] (ACP-b) Gathering. The consumer's advice reader anonymouslygathers advice from the site.

[0886] (ACP-c) Evaluation. The consumer's advice reader evaluates advicefor relevance.

[0887] (ACP-d) Explanation. The consumer's advice reader displays adocument authored by the advice provider, explaining why a certainadvisory is relevant, and proposing a solution/response.

[0888] (ACP-e) Solution/Response. The consumer evaluates the documentand, potentially, accepts the proposed solution/response, potentiallyinteracting with the world as a result.

[0889] The invention, operating with the AEUP communications protocol,makes steps (ACP-a)-(ACP-d) completely private and localizes theinformation sharing potential to step (ACP-e).

[0890] Operationally, a completely ethical advice provider never seeksto violate the privacy protection of steps (ACP-a)-(ACP-d) of theprotocol. In particular, a completely ethical provider never seeks toperform covert identification or surveillance of a consumer communityusing the invention. There are no efforts to infer from server activitythe identity or attributes of any user. There are no efforts to developtools to infer from network activity the attributes of any user. Thereare no efforts to use the invention as a pure broadcast advertisingmedium, creating advisories which make unsolicited contact with all or avery large number of consumers. Any efforts to use the invention togather information from consumers are based on a questionnaire processat solution time (ACP-e) and come with full prior disclosure to theconsumer at explanation time (ACP-d), in easily understandable terms, ofthe types of information being gathered, of the purposes for which theyare being gathered. There are no efforts to use information so receivedin ways unrelated to the disclosed purpose of the information gatheringeffort. There are no efforts to use information gathered from such aquestionnaire to correlate with future server activity.

[0891] In one typical implementation, the invention encourages providersto behave in a completely ethical way. The invention may providemechanisms to encourage consumer knowledge of the standards ofcompletely ethical behavior and knowledge of the standards kept byindividual providers. The invention contains mechanisms to defeat anddiscourage criminal attacks on privacy and to defeat and discourageunethical behavior.

[0892] In a typical implementation, the invention has several mechanismsto promote and enforce completely ethical behavior.

[0893] First, by encouraging subscription to trusted advice sites, thesystem encourages users to be aware of the quality of a site. Oneimportant component of quality is ethical quality.

[0894] Second, the Better Advice Bureau provides a mechanism to issueadvisories warning against unethical sites. The Better Advice Bureaumaintains an openly accessible list of objective causes for counteradvisories. This list makes it clear to consumers and providers thetypes of behavior which result in counter advisories. In this way,providers receive guidance about what constitutes unethical behavior.Those providers wishing to preserve public trust act ethically.

[0895] Third, the invention may frustrate attempts to violate theprivacy intent of the protocol. As described below, all legal threats tothe protocol have effective responses from the invention, and a providermust engage in criminal activity to violate the communications protocol.

[0896] Privacy and AEUP

[0897] The invention uses a protocol (AEUP) for information exchangeover open public networks which imposes a much higher standard ofinformation ethics than the current industry standard. In addition, theprotocol protects against certain outright criminal behavior.

[0898] The goal of AEUP is that:

[0899] Information on the machine stays on the machine.

[0900] That is, information about the consumer's computer or itsenvironment which has been accessed by invention is not distributed tooutside parties without explicit consent. In physical terms, AEUPprovides a one way membrane between the consumer computer and theoutside world. During unattended operation:

[0901] Information flows in, but no information flows out of theconsumer computer.

[0902] This design constraint is expressed in four principles:

[0903] (PRIV-a) The act of subscription does not divulge the user'sidentity or attributes.

[0904] (PRIV-b) The act of gathering advice does not divulge the user'sidentity or attributes.

[0905] (PRIV-c) The act of evaluating relevance does not divulge theuser's identity or attributes.

[0906] (PRIV-d) The act of passively viewing a relevant advisory doesnot divulge the user's identity or attributes.

[0907] When operated under AEUP, all automatic unattended operationpreserves the privacy of the user's identity and attributes. Thefollowing discussion describes the ways in which AEUP and the overallinvention process enable (PRIV-a)-(PRIV-d).

[0908] (PRIV-a) Privacy in the Act of Subscription.

[0909] Under AEUP, the information that a certain user is subscribing toa certain advice site is known only to the user and to his advicereader. This requires clarification. In common usage, the wordsubscription implies a sort of registration process by which a useridentifies himself to a provider as a subscriber. Under AEUP, there isno such registration process. There is no need for it. Advice is madefreely and anonymously available in the same way that Web sites make Webpages available freely and anonymously. The subscription process is aninteraction between the user and the user's own advice reader, notbetween user and some external advice provider. The advice readeroperating on the user's computer obtains from the user the selection ofadvice sites of interest and stores those on the user's computer only aspart of a database maintained locally by the subscription managercomponent of the advice reader. That database controls the evaluation ofadvice, causing the advice gatherer to gather advice periodically fromsome sites and not from others. Subscription is a private matter.

[0910] (PRIV-b) Privacy in the Act of Gathering.

[0911] Under AEUP, the act of gathering advice does not revealinformation that a certain consumer is interested in certain things, orthat he has a certain computer configuration.

[0912] It may be objected that an advice site can learn about theidentity of a subscriber from the fact that the subscriber's advicereader frequently gathers information from the site. However, in typicalimplementations, the only thing that can be learned from the act ofgathering is that a connection to an advice site has been made from acertain IP address. Under current network protocols most consumers havedynamic IP addresses, and so the correlation between IP address andidentity is weak, lasting typically a few minutes. Hence, theinformation in an IP address is generally of little value.

[0913] Moreover, consumers with static IP addresses who do not wish todivulge their true IP address may use a proxy server. Proxy servers area well known tool by which certain IP client-server transactions arereplaced by a three-party client-proxy-server interaction, with theproxy requesting data of the server and routing it anonymously to theclient. To the server, it appears that the proxy is the client. To theclient, it appears that the proxy is the server. There is never anydirect contact between the server and client. The server never obtainsthe identity of the client, i.e. its IP number.

[0914] The invention, in one implementation, is configured to offeruniversal proxy service to all users, and the advice reader offers tothe user, as one optional means of connection, the use of such a server.In such an implementation, Better Advice Bureau.org or another centralauthority offers an anonymous advice gathering server which acceptsadvice gathering requests from users, strips them of return addresses,routes them to advice sites, and forwards the returned information tothe user. This mechanism conceals the IP address of the user.

[0915] The act of gathering may be thought to divulge informationbecause the gatherer selects only certain documents from among thoseavailable at the advice site. This objection is based on amisunderstanding of AEUP. In a typical implementation, the advicegatherer always accesses all documents available at a certain site,which are not already present on the consumer machine. No selection ofany kind is performed at gathering time. Relevance is determined onlyafter all the advice has been gathered and stored on the consumercomputer. The only correct inference that can be made from the behaviorof the advice gatherer is that the consumer has an ongoing subscriptionto that site.

[0916] This approach is very different from currently popular approachesto obtaining relevant information using Internet. In the currentlypopular approach, the user fills out a form expressing, for example,preferences, characteristics, and system configurations. This form issent to the server. The server then responds to the consumer in afocused way, based on the information that was contained in the form.This standard process reveals information about the consumer to theserver.

[0917] In the invention's approach, the consumer's preferences andconfigurations are kept confidential on the consumer's machine. All ofthe advice offered by the site is brought to the consumer machine and isthen evaluated for relevance privately.

[0918] (PRIV-c) Privacy in the Act of Evaluating Relevance.

[0919] The relevance or irrelevance of a given piece of advice cansignal a great deal of information about an advice consumer's computerand its environment. A very narrowly focused condition, specifyingcontents of the user profile, and contents of specific files can, iftrue, convey a great deal of information about the user.

[0920] If the advice reader allows the fact of relevance or irrelevanceof an advisory to leak out of the reader to the outside world, itcompromises the consumer's privacy. If this happens during unattendedoperation, the outcome might be very serious because many thousands ofadvisories are being evaluated for relevance. If there is a mechanismfor systematically discovering the relevance of an arbitrary collectionof many pieces of advice, a complete profile about the consumer and hisenvironment leaks out.

[0921] In a typical implementation, the advice reader's relevanceevaluation process has as its only externally observable effect aresulting change in the state of the user interface. The user isnotified when a certain piece of advice has become relevant, and that isall. In a typical implementation, the simple fact that somethingevaluated to relevant causes no activity outside of the user's computerwhich can be observed by others. There is a possible exception to thiswhen remote inspectors are available. See below.

[0922] (PRIV-d)]The Act of Passively Viewing a Relevant Advisory DoesNot Divulge the Users Identity or Attributes.

[0923] Reading a text file in the privacy of one's own interaction withone's own computer does not offer any breach of privacy. No one in theoutside world need know that one has read the file. However, reading aWeb page is a different matter. A hole in the one-way privacy membranemaintained by invention is opened by the careless offering of HTML orother hyperlinked media as a valid type of advisory content in theexplanatory component of the advisory. The discussion below describesthe hole and its consequences, and describes why the invention, in atypical implementation, does not leave this hole open.

[0924] Constraints on Solution Operations

[0925] The final step in the advice processing chain is the applicationof a recommended solution operation. Because this operation can be anessentially arbitrary operation, it is not possible for the invention tocontrol the effects of this operation. In particular, the recommendedoperation includes electronic correspondence with the advice author,divulging identity and attributes. For this reason, there is a designconstraint:

[0926] (PRIV-e) In typical implementations, the advice reader does notapply recommended solution operators automatically. They may only beapplied after user approval.

[0927] Because of the wide-open nature of solution operators, theconsumer plays an important role in protecting his own privacy. The actof applying a recommended solution operation may divulge the consumer'sidentity or attributes, whether the consumer knows this or not. Anunethical advice author can create mole solution operators which, whileclaiming to do one sort of operation, could in fact be conductingelectronic correspondence covertly, without informing the consumer. Theconsumer should only agree to apply solution operations which come fromauthors he trusts to behave in an ethical fashion.

[0928] Remote Inspectors: Plugging Leaks

[0929] In one implementation, there is a potential violation of theprivacy of the relevance evaluation process, based on the assumptionthat advice reader allows conditional evaluation of and clauses, and theassumption that relevance clauses may refer to conditions which areverified by making queries to other computers and/or other devicesremote from the computer on which the advice reader is running. Acareless implementation of a remote inspector creates network activitythat is observable to the outside world, and from which activity thevalue of certain relevance clauses is inferred. Inspectors which causenetwork activity are by no means central to the invention, and thisparticular privacy threat therefore affects only certain implementationsof the invention. (Compare discussion of Covert Channels in Pfleeger,Security in Computing)

[0930] Consider an eavesdropper who would like to learn about the valueof a relevance clause R when evaluated for relevance on a certain adviceconsumer's machine. Suppose that the eavesdropper operates an advicesite which is trusted by the consumer and subscribed to by the advicereader, so the eavesdropper can introduce advice onto the machine.Suppose that the eavesdropper knows that the advice reader contains aninspector which, when invoked via clause I, generates network activityacross a piece of the Internet under control of the eavesdropper. Forexample, suppose that the eavesdropper has system level access to a nodeof the Internet in a direct path between the consumer machine and adestination machine that is queried as a result of a certain inspectorcall. The eavesdropper is then in a position to program the IP transportlogic at the node under his control to take note of the existence of IPtraffic between the consumer and the destination.

[0931] In this hypothetical situation, the eavesdropper is in a positionto author advice asserting R and I and to publish the advice at hisadvice site. After this advice is gathered by the consumer machine, itis evaluated automatically for relevance.

[0932] In one implementation of the advice reader, the evaluation of aclause A and B stops immediately as soon as A is determined to be falsebecause it is not necessary to know the value of B to finish theevaluation of the phrase. As soon as A is determined to be false, thephrase A and B is known to have the value False. This scheme is referredto as conditional evaluation. There are implementations of the advicereader that do not perform conditional evaluation. These schemes alwaysevaluate all subexpressions of an expression before inferring the valueof the expression. The decision to use conditional evaluation in animplementation is based on performance considerations. Advice readersusing conditional evaluation typically run faster.

[0933] Assuming that the advice reader implements conditional evaluationas described above, then the network activity prompted by the clause Ionly occurs if the clause R evaluates to True. The eavesdropper is in aposition to observe this network activity, and hence to infer thatclause R evaluates to True. Information about the consumer has leakedout of the consumer's computer due to the relevance evaluation.

[0934] In discussing this hypothetical situation, it should be notedthat eavesdropping activity of the sort described constitutes a form ofelectronic stalking and may be illegal. Such situation requires eitherthat the trusted advice author be himself an eavesdropper, engaging inconspiracy with the eavesdropper, or does not act to preventunauthorized advice from being injected in his name, for example bysigning his advice. The advice consumer may protect himself from thisthreat by subscribing to trustworthy sites only, i.e. sites meeting thestandard of completely ethical behavior.

[0935] The advice consumer may also protect himself from this threat byconfiguring the advice reader to restrict the domain of allowedrelevance checking to a domain where he has physical control. In extremecases, this means limiting relevance to check conditions verifiable onlyon the machine where the advice reader is running.

[0936] There are presently four mechanisms whereby the advice reader canallow network activity and yet protect against this type ofeavesdropping.

[0937] 4. Disallow conditional evaluation of clauses. The advice readeris configured to avoid conditional evaluation. In that event, noinformation about relevance evaluation is revealed by the existence ofobservable network activity between consumer and destination.

[0938] 4. Randomly reorder subexpressions for conditional evaluation. Inevaluation of a clause A and B, the parser randomly reduces the clauseto the equivalent of (& A B) with probability ½, and to perform (& B A)with probability ½. When this is done, the fact that remote networkactivity occurs in evaluation of the clause R and I implies that eithera fair coin was tossed heads or that a clause R was true. This makes itimpossible in a particular instance to determine whether R was actuallytrue for the user in question.

[0939] 4. Always force evaluation of subexpressions involving networkactivity. The advice reader is configured so that each inspector has anattribute Remote-Activity which is set in case the inspector causesactivity off the machine running the inspector. The advice reader, inparsing a relevance clause, identifies those subexpressions which haveattribute Remote-Activity and forces evaluation of those subexpressions.

[0940] 5. Decouple network activity from relevance evaluation.Inspectors with the attribute Remote-Activity are constrained to workonly on cached data, using queued requests, to a prespecified locationor collection of locations. This means that an inspector, when receivinga request for an attribute determinable only remotely, can check a localcache. If the answer is found in the cache, it responds with the answer.If the answer is not found in the cache, the request is placed in thequeue for future evaluation. Independently, a process runs according toa fixed schedule, e.g. once per day, which communicates with a fixedlist of remote machines, and which at that time processes all requeststhat have been cached in the last day. In this way, relevance evaluationper se causes no network activity outside of regularly scheduledactivity.

[0941] An appropriate combination of these mechanisms can safeguard theprivacy of relevance evaluation, even in the indicated context ofcriminal eavesdropping.

[0942] HTML: Plugging Leaks

[0943] The final appearance of a typical modern HTML document is theproduct of several files rather than a single one. The HTML documentitself gives a kind of logical skeleton of the display, and an inventoryof the textual component, and a collection of links to various graphicsand multimedia files, which provide the visual components. Intraditional Web browsing practice, a Web browser constructs the renderedimage in a series of stages. First the HTML file is gathered and theskeleton of the document is rendered. If the HTML document refers toremotely located multimedia files, then the Web browser begins to gatherthose files;. After the files arrive, they are used to format and renderthe final display.

[0944] Suppose that an advice provider has authored an advisorycontaining an HTML file making references to files located on the adviceproviders server in its explanatory component. Suppose also that theadvice reader behaves as a traditional Web browser in rendering HTML. Atthe moment that the consumer reads the advisory, the underlying graphicsfiles is gathered from the advice server. In other words, there isnoticeable activity at the advice server caused by the fact of readingan advisory. If the advisory is irrelevant, the HTML is not renderedand, because the unrendered HTML never leads to a gathering of themultimedia file, the server can infer from this activity that anadvisory evaluated to relevant. This constitutes a leak of informationthrough the one way membrane, back from consumer to provider.

[0945] A completely ethical advice provider must not take any notice ofthis activity. However, a merely ethical advice provider could, inprinciple, exploit this fact to learn something about the consumerpopulation. Indeed, such an advice provider can author an advisoryreferred to a special multimedia file, pointed to only by this advisory.Counting the number of references to the multimedia file, and dividingby the number of gathers of the advisory itself, one can obtain anestimate of the fraction of the consumer population which exhibited acertain combination of circumstances.

[0946] However the invention, in a typical implementation, takes stepsto frustrate this sort of activity. Inducing leaks of this kind isconsidered less than completely ethical because, combined with otherunethical behavior, it can compromise individual privacy. It is truethat such leaks have an innocent and useful application. As long as nocorrelation is made between the information leaking back and individualidentity, one could argue that the leak can be made to serve aconstructive purpose of informing the advice provider about the userpopulation in general. However, the existence of such a leak creates atemptation to perform such a correlation, which leads to serious privacyabuses.

[0947] There is another mechanism available by which the inventionoffers similar feedback to advice providers while protecting individualprivacy, i.e. randomized response. To discourage attempts to exploitleaks caused by HTML, a typical implementation of invention can employone or all of three mechanisms:

[0948] 5. HTML-A Proxy server. By working exclusively through a proxyserver, the advice reader can destroy all correlation which mightotherwise be visible at the advice site between identity of gatherer andfact of gathering. In effect, the advice reader is requesting themultimedia file from the proxy server rather than the original site. Inone implementation, the proxy server caches the multimedia file locallyand so serves many requests for the multimedia file while only askingfor the file once from the advice site. Advice sites may find thisarrangement advantageous because it minimizes the load on their ownserver. In return, they lose the ability to make population attributeprevalence studies, or to make correlation between identity andattributes.

[0949] HTML-B Immediately gather all multimedia. In one implementationof the invention, the gathering process includes the automaticdownloading of all multimedia files referred to in the HTML of anadvisory. This works as follows: A preliminary parsing of the advisoryleads to a listing of all multimedia files referred to in the HTMLsource of the explanatory component of the advisory. The advice gatherergathers those files immediately, ensuring that if the advisory everbecomes relevant, the file is available locally. For this implementationof invention, there is no connection between the fact that a file wasgathered and the possibility that a certain advisory may be relevant.

[0950] Mechanisms (HTML-A) and (HTML-B) may be used simultaneously. Thatis, a proxy server may gather advice on behalf of a client, and also allmultimedia files referred to in any HTML source contained within thatadvice. The consumer advice reader initially gets only the advisoryfiles, and not all the multimedia files. At the proper time, themultimedia files are gathered from the proxy server. In this way, thereis again no connection between the fact that a file was gathered and thepossibility that a certain advisory may be relevant.

[0951] 5. HTML-C Download multimedia at random. In one implementation ofthe invention, the gathering process includes the random downloading ofsome multimedia files referred to in the HTML of some advisories. Thisworks as follows: A preliminary parsing of the advisory leads to alisting of all multimedia files referred to in the HTML source of theexplanatory component of the advisory. The advice gatherer periodicallygathers a few randomly selected files from that list. This ensures that,for any advisory that an advice author publishes, a large fraction ofthe multimedia files are accessed, not for reasons of relevance, but dueto outcomes pure chance experiments. Partially, this ensures that amongthose customers where an advisory becomes relevant, for many of them thefile is already available locally. Under this implementation of theinvention, there is no logical connection between the fact that a fileis gathered and the possibility that a certain advisory is relevant.Whatever connection there may be is probabilistic and could be maderather weak by appropriate choice of the frequency of randomdownloading.

[0952] Support for Privacy Ethics

[0953] There are three meta-principles in the invention which help toenforce information ethics.

[0954] 5. Ethical sites. Consumers should only subscribe to advice sitesknown to behave in an ethical fashion. Many consumers configure theiradvice reader to subscribe mainly to advice from large concerns whichmanufacture goods and services of interest to the consumer. For example,a computer manufacturer, a software publisher, or the provider ofInternet service. Subscription to substantial organizations of this typeis a reasonably secure practice. Such organizations have an interest inproviding trustworthy advice so that they maintain rapport with theirconsumers. Few risks are posed to advice consumers who subscribe toadvice authored by such concerns.

[0955] 3. Clear definition of ethics. The Better Advice Bureau is afundamental tool for encouraging ethical behavior of authors. All userssubscribe to this site. This site compiles counter advice, informingusers about unethical sites and about unethical advice which has beencirculating. Better Advice Bureau defines a solution operator asunethical if it involves divulging information to the author withoutfirst informing the user that information is to be divulged or withoutinforming the user accurately about the nature of the information thatis to be divulged. If pieces of mole advice are circulating which behaveunethically, and they come to the attention of Better Advice Bureau.org,it may release counter advisories against them. Hence, the Better AdviceBureau functions in some respects as an privacy protection system forthe invention, allowing the correction of unethical situations.

[0956] Clear labeling of side effects. To make the definition of ethicalbehavior clear, and deviation from ethical behavior clear, the BetterAdvice Bureau describes a set of labels to be attached to advisories,indicating the potential side effects of solution operators. Theselabels indicate:

[0957] The critical subsystems which may be affected by the advisory'sproposed solution.

[0958] Whether information may be revealed by using the advisory'sproposed solution.

[0959] What types of information may be so revealed.

[0960] If information may be revealed, whether it may be used formarketing/mailing.

[0961] If information may be revealed, whether it may be shared withother companies.

[0962] Completely ethical behavior demands that advice authors labeltheir advice according to its effects on potential consumers. BetterAdvice Bureau considers it grounds for a counter advisory if an advisoryis mislabeled. Persistent, concerted efforts to misinform are consideredby Better Advice Bureau grounds for a site counter subscriptionadvisory.

[0963] Alternate Client-server Interactions

[0964] A key component of the invention is the synchronization betweenconsumer and provider site images. This happens according to AEUP.However, there are other embodiments of the basic invention in whichsynchronization is effected by different means. These are describedbelow.

[0965] Anonymous Selective Update Protocol

[0966] Under this protocol, the act of subscription and the act ofsynchronization are both anonymous as in the AEUP. However, the updateprocess is selective rather than exhaustive.

[0967] ASUP Definition

[0968] Under ASUP, each advisory message is abstracted into a short formconsisting of at least a message identifier referring to the originaladvisory, the relevance clause of the original advisory and,potentially, other information, such as a subject line. Under thisprotocol, the advice server, in addition to directory messages and wholeadvisory files, also serves to the advice reader the abstracts of one ormany advisories.

[0969] Under ASUP, the gathering process changes. The advice reader,instead of ensuring that it has the entire body of each advisory of theadvice site, ensures that it has at least the abstract for each message.It does this by issuing requests for all the abstracts of all theadvisories that are new since the previous synchronization.

[0970] Under ASUP, the advice database changes. The database containstwo kinds of entries: full advisories, and advisory abstracts.

[0971] Under ASUP, the advice reader schedules relevance evaluation forall the relevance clauses it has obtained, both those clauses containedin full advisories and those clauses contained in abstracts.

[0972] Under ASUP, a relevant advisory can trigger a new round ofcontact between advice reader and advice site. Depending on theconfiguration, the advice reader, either in anticipation of the userwanting the full advisory or after a direct user request, establishes aconnection with the advice site, and requests the bodies of certainadvisories.

[0973] The result of this protocol is that, whereas the consumer'sadvice reader accesses and evaluates all the published relevanceclauses, it does not download all the published advisories.

[0974] Analysis of ASUP

[0975] This protocol can be advantageous if the published advisoriesconsume considerably more storage than the abstracted advisories. Itsaves the consumer time in accessing a large body of advisories andsaves the provider time in serving requests. A potential drawback ofthis protocol is the possibility of compromises of consumer privacy.Under the ASUP protocol, it is conceivable that an advice providerattempts to make inferences about the consumer based on observing theadvisory files requested and not requested by the advice reader. If theprotocol is implemented exactly as described above, the consumer neverrequests the entire advisory when the clause is not relevant and alwaysrequest the entire advisory when the clause is relevant. An adviceprovider whose intent is to learn information about a specific consumer,in principle, correlates server requests for full advisories with IPaddresses from which they came, inferring that requests signify therelevance of the corresponding advisory on the corresponding computer.If the IP address is permanently assigned to a certain consumercomputer, the provider in principle correlates such requests withconsumer identity. In this way, information about the consumer may leakback to the server.

[0976] Privacy Protection Under ASUP

[0977] Random gathering. The potential for information leaks is reducedby having the advice reader request full advisory bodies for someadvisories whose relevance clauses are not relevant. This is done by arandomization mechanism. Each full advisory body is requested with aprobability p, where p is a specified number.

[0978] Proxy server. The potential for information leaks is reduced byhaving the advice reader request full advisory bodies via a proxyserver, which anonymously forwards advisory body requests to the advicesite, and thereby masks to the advice site the identity of therequester. A centralized proxy server, for example located at the BetterAdvice Bureau or at advisories.com is made available for this purpose.

[0979] Proprietary server. The potential for information leaks isreduced by restricting the supply of server software. If the only serversoftware which works with the invention protocol does not to makecorrelation between consumers and the advisories they request, and alsodoes not log the requests, and if the users of the server software donot attempt to frustrate the intent of the proprietary protocol byeavesdropping on the server-reader transaction, then there is nodisclosure of personal information to the server as a result of ASUP.

[0980] The supply of server software can be restricted by modifying thereader/server interaction so that a certain security handshake ismandatory. By using digital encryption technology as part of thesecurity handshake and by restricting access to the appropriate securityhandshake keys, one restricts access to the ability to build serversoftware.

[0981] Prohibitions against eavesdropping on client-server interactionscan be enforced contractually. Valid server software may be madeavailable only on condition that recipients do not eavesdrop.

[0982] Hence there are several avenues to safeguard privacy under ASUP.

[0983] NonAnonymous Exhaustive Update Protocol

[0984] In certain settings, the concept of anonymous subscription is notworkable, for example because advisories are made available only on afor-pay basis, and the reader/server interaction includes a handshakesegment in which the reader must qualify himself as a paying customer. Avariant on this scenario is in providing advice to members of a club,where members are not in any narrow sense paying for the advicesubscription itself, but need to be members to qualify for the advice.

[0985] The non-anonymous exhaustive update protocol (NEUP) is applied ina non-anonymous setting where a subscriber exhaustively updatesdownloading all new advisories at each synchronization. Under NEUP, theconsumer's privacy is protected in the following sense: While the factof the consumer's subscription is known to the provider, the routine actof gathering advice and evaluating relevance does not reveal informationabout the consumer to the provider.

[0986] NonAnonymous Selective Update Protocol

[0987] In certain settings, the concept of anonymous subscription is notworkable and the use of exhaustive updating is not workable, eitherbecause there is a very large body of potentially relevant advisories toconsider or each advisory is rather large in size, and very few of theadvisories are likely to be relevant, so consumers and providers are notwilling to devote extensive resources to exhaustive updating.

[0988] The non-anonymous selection update protocol (NSUP) provides thisnon-anonymous setting where the advice reader selectively updates,obtaining first abstracted advisories, evaluating relevance, and laterdownloads relevant advisories.

[0989] The NSUP by itself gives the consumer no guarantees privacy fromthe provider. The fact of the consumer's subscription is known to theprovider and the routine act of gathering advice and evaluatingrelevance reveals to the provider which relevance clauses are True.Under NSUP, there are several mechanisms for helping to protect consumerprivacy, e.g. randomization, proxy server, and proprietary server.

[0990] Alternate Advice Distribution

[0991] Centralized Advice Server

[0992] In one embodiment, a single centralized site stores the adviceoffered by many different advice providers, with the different advicesites actually serving as different subdirectories of a single filesystem. All advice readers operating on consumer computers synchronizetheir site images by contacting this centralized site and requestingresources, such as advisories, from this site. In practice, the singlesite actually consists of a collection of computers mirroring eachother's functions and contents.

[0993] This arrangement has an impact in two areas:

[0994] Privacy. This arrangement prevents providers from learning aboutthe identity or about any relevance attributes of any consumers byinsulating consumers from providers. In particular, the ASUP protocol issafe in such a setting, provided the central advice site does not log oranalyze reader-server transactions.

[0995] Security. This arrangement limits advice sites to thosesatisfying certain standards imposed by the central server management byrestricting the supply of advice sites, and thereby ensures that advicesites are run by typically responsible organizations.

[0996] The centralized site allows advice providers to update thecontents of their sites on the centralized server by use of standardmethods, such as FTP or related file transfer methods.

[0997] Centralized Proxy Server

[0998] In one embodiment, a single centralized site is available to actas a Proxy server for all advice readers. There is a widely distributedbase of advice sites. However, many users do not go to those sitesindividually. Instead, they configure their advice reader to get alladvisories via the centralized proxy server. This is particularly trueof users concerned about privacy violations.

[0999] The centralized proxy server caches the advice offered by manydifferent advice providers. Advice readers on consumer computers requestthe proxy server to make available resources, such as advisories, fromcertain advice sites. If those resources are available on the proxysite, they are served immediately to the user. If they are notavailable, the original site is queried for the resources, which areboth forwarded anonymously to the user, and also placed in the proxysite cache. The advice site includes a method to signal the centralizedproxy site when the original site is changed, indicating that it is timeto flush the cache (see Hallam-Baker, Phillip M. (1996) Notification forProxy Caches, World-Wide-Web Consortium Technical Report,http://www.w3.org/TR/WD-proxy).

[1000] This arrangement addresses consumer privacy concerns. Byinsulating consumers from providers, this arrangement prevents providersfrom learning about the identity or about any relevance attributes ofany consumers. In particular, even the ASUP protocol is safe in such asetting, provided the central advice site does not log or analyzereader-server transactions.

[1001] Centralized Anonymous Advice Remailer

[1002] In one embodiment, advice distribution operates by the use ofInternet e-mail transport, routed through a centralized remailer by theuse of anonymous mailing lists.

[1003] The advice site architecture discussed above is maintained.However, there is a widely distributed base of advice sites. Manyreaders do not contact those sites directly. Instead, they get advice byanonymous mail. In this implementation, advice sites e-mail their newadvisories to the central remailer site, which in turn e-mails them to amailing list which is kept confidential, consisting of individuals whohave contacted the central site and established a subscriptionrelationship. In this implementation, there is a new form of advisoryspecially designed for retraction. Advice sites handle retraction ofadvice by e-mailing retraction advisories to the central remailer site,which in turn e-mails them to the mailing list.

[1004] Under this arrangement, the advice reader cooperates with thee-mail reader on the consumer computer and with the consumer's e-mailreader configured to filter advice automatically into a mailboxdesignated for advice reader access. The advice reader performs sitesynchronization, not by contacting the original advice site, but insteadby interpreting the contents of the mailbox that have arrived since theprevious synchronization.

[1005] This approach is particularly suited for working with POP3Internet mail servers. This arrangement is essentially an implementationof the AEUP protocol using e-mail. Neither the fact that a certainconsumer has a subscription nor the fact of a certain advisory isrelevant is generally available to the advice provider.

[1006] Under this arrangement, the one way membrane that AEUP providesis made particularly clear to consumers. Consumers understand that theadvice site need not know that they subscribe to the site and that thereis never direct IP traffic between the consumer machine and the advicesite. They can see, by inspecting the plain text of the mail, thatadvisories are not coming to them directly from the advice site, butinstead are transferred anonymously to them from the centralized adviceremailer.

[1007] A potential weak spot in this arrangement is the existence of asecret mailing list whose secrecy is compromised. To inspire consumerconfidence, it is best that the centralized remailer is operated by atrusted consumer minded authority.

[1008] By insulating consumers from providers, this arrangement preventsproviders from learning about the identity or about any relevanceattributes of any consumer who participates in this arrangement and whodo not choose to disclose anything to the providers voluntarily.

[1009] USENET Advice Diffuser

[1010] In one embodiment, advice distribution operates via USENET newstransport.

[1011] The advice site architecture described above is maintained. Thereis a widely distributed base of advice sites. However, many readers donot contact those sites directly. Instead, they get advice by USENET. Inthis implementation, a whole collection of USENET newsgroups is created,e.g. one per advice site. The advice site, from time to time, posts newadvisories to USENET, which, in turn, cause the new postings to bedistributed worldwide to all machines that operate as newsgroup servers.

[1012] Under this arrangement, the advice reader then performs sitesynchronization, not by contacting the original advice site, but insteadusing USENET protocols to contact a newsgroup server and access newpostings in certain newsgroups.

[1013] This arrangement is essentially an implementation of the AEUPprotocol using USENET. Neither the fact that a certain consumer has asubscription nor the fact of a certain advisory's being relevant isgenerally available to the advice provider.

[1014] Under this arrangement, the one way membrane that AEUP providesis made particularly clear to consumers. Consumers understand that theadvice site need not know that they subscribe to the site and that thereis never direct IP traffic between the consumer machine and the advicesite. In fact, because the act of receiving news via USENET isanonymous, there is not even a mailing list anywhere and so there is nocentralized information base linking them to the advice site.

[1015] Software Channels

[1016] In possible embodiment, advice distribution operates by the useof what are commonly referred to as channels by push providers, such asBackweb, Marimba, and Pointcast (see Ellerman, Castedo (1997) ChannelDefinition Format, World-Wide-Web Consortium Technical Report,http://www.w3.org/TR/NOTE-CDFsubmit.html). In another embodiment, advicedistribution operates by the use of e-mail mailing lists. In eithercase, the distribution method is referred to as a channel. The logicalrelationships are the same. Nothing of importance changes below if everyoccurrence of the word channel is changed to mailing list.

[1017] The advice site architecture discussed above is maintained. Thereis a widely distributed base of advice sites. However, some readers donot contact those sites directly. Instead, they receive advisoriesthrough channels. In this implementation, a whole collection of channelsis created, perhaps one per advice site. The advice site from time totime pushes new advisories to its channel which, in turn, causes the newofferings to be distributed worldwide to all machines that subscribe tothat channel.

[1018] Under this arrangement, the advice reader perform sitesynchronization by listening for incoming data on the channel, andprocessing the incoming advisories as they arrive.

[1019] This arrangement is essentially an implementation of the NEUPprotocol. Under some implementations of channels, the fact that a userhas a subscription is known to the content provider. Typically, the facta certain advisory is relevant is generally unavailable to the adviceprovider.

[1020] Under this arrangement, the one way membrane that AEUP providesis made particularly clear to consumers, if channel providers offertruly one-way channels and explain this to consumers. For example,mailing lists are well understood by consumers to offer what istypically a one-way communication. Consumers understand thatcommunication only becomes two-way when the consumer wishes to initiatecontacts in the other direction.

[1021] Alternate Mechanisms to Promote Consumer Trust

[1022] So far it has been assumed that the primary concerns that aconsumer might have about privacy must be solved technologically. Theviewpoint has been that it is only possible to protect consumer privacyby developing a system which renders it literally impossible for adviceproviders to make valid inferences about the relevance of certainadvisories to specific consumers. It is an important achievement to beable to insulate consumers in this way. However, this insulation comesat the cost of certain constraints. In addition, some consumers may notbe able to accept that there exists a purely technological solution tothe privacy problem, and those consumers may suspect that anytechnological solution inevitably has failings, i.e. leaks from time totime. Such consumers worry about what happens if a leak occurs, and arenot persuaded by technologist's assurances that no leaks can occur. Suchconsumers might be more reassured by explicit pledges on the part ofadvice providers that leaks would not be exploited by the providers.

[1023] A way to address consumer concerns about advice providerintentions is to restrict the population of advice providers to justthose providers who have signed and who are fulfilling a contract tobehave in ways which offer consumers guarantees. This has threecomponents:

[1024] Ethical Standards. A fundamental document is made availableproviding a well known definition of ethical behavior. Certain adviceproviders have signed this document and deposited it with a centralauthority, such as Better Advice Bureau, which publishes the identitiesof signers.

[1025] User Interface. Users are given an option to restrictinteractions just to providers who are known to follow the ethicalstandards.

[1026] Restriction of Server Privileges. The reader/server interactionis protected by a proprietary handshake mechanism, and access to theappropriate reader/server handshaking secret codes is licensed only tothose who have signed the agreement on ethics. There are two naturalways this is done:

[1027] By a centralized server strategy, in which advice readers havetheir functioning restricted by a handshaking mechanism so that they canonly interact with a centralized advice server, serving advice only fromthose sites known to be obligated to follow ethical standards and knownto be in compliance.

[1028] Following a proprietary server strategy, in which advice readerscan only interact with advice servers having the appropriate handshake,and the handshake is known only to servers at ethically bound advicesites.

[1029] In summary, there are some providers who have signed an agreementmaking a contractual guarantee of privacy to customers. There are someconsumers who want to deal only with such providers, and there is atechnological mechanism to restrict advice reader access to thoseproviders.

[1030] Alternate Relevance Evaluation Models

[1031] The General Picture: State Comparison

[1032] In effect, a relevance clause is an assertion about the state ofa computer or of its environment or of the state and environment ofcomputational devices reachable from the computer. The relevancelanguage provides a way for an author to describe components of thestate of a computer. However, there are other ways that components ofthe state could be described.

[1033] The advice reader and the associated inspector libraries give away to compare a description of the state with the actual state.However, there are other ways that components of the state could becompared with a description.

[1034] Community of Watchers

[1035] An alternate method of state description might rely on acommunity of watchers, i.e. specialized applications, each potentiallywith its own unique concerns and architecture, which can analyzespecific assertions about the computer or its environment. Such anapplication is referred to as a watcher.

[1036] Consider a file watcher application that watches to see ifcertain files had appropriate attributes. This application maintains adatabase of assertions. Each entry names a file or directory, a list ofthe specified attributes of the object, a specified watching frequency,and a pointer to a message and action associated with failure of theassertion. Examples of specifiable attributes include existence, name,version, size, and checksum. The file system watcher, runningcontinually, at scheduled times, or under user control, goes through itsdatabase of assertions and checks that each entry has the assertedstatus, e.g. each file has the specified attributes. If it finds anentry that does not have the required status, then it passes informationabout the failure of the assertion, along with the message and actionsassociated with the assertion, to a user interface module. The userinterface module, a part of the watcher application, and an applicationused in common across the whole system, presents to the user informationabout failure of the asserted condition and relays the associatedmessage and recommended response.

[1037] A file watcher application also interprets messages making newassertions about the state, or revokes old assertions. The receipt ofsuch a message causes the file watcher to update its database ofassertions to include entries making the new assertions or to deleteentries making the revoked assertions. The file watcher itself receivesthese messages from a messaging module, which is part of the watcherapplication or an application used in common across the whole system.

[1038] A remote author who wants to assert conditions about the consumercomputer authors messages intended for the file watcher applicationaccording to a published file watcher assertion specifier. This is adatabase entry homologous to the entries in the database kept by thefile watcher, or a textual description of an entry, using a keywordlanguage or other humanly interpretable descriptive device. Such aspecifier is packaged for transport across networks or by other digitaltransfer mechanism. Such a package is distributed to consumer machinesby any of the methods enumerated so far, i.e. AEUP, ASUP, NEUP, NSUP,e-mail, or channels.

[1039] Some potential advantages of this approach include:

[1040] 5. Specialization yielding efficiency. A watcher, because it isspecialized, is written to optimize the speed at completing aspecialized set of tasks. For example, if a file system watcher has towatch several files in the same directory, it is to do so while makingonly one directory structure access rather than several, thereby savingdisk operations. It is possible to avoid certain operations if it isknown what the outcome is based on certain earlier operations. Ifseveral different assertions must be tested about the same file, it ispossible to make a single file access to get the information about allof them simultaneously. In addition, if the watcher accepts instructionsin a predefined format that avoids the need for parsing, it can evaluateassertions more quickly.

[1041] 5. Specialization yielding expressiveness. A watcher, because itis specialized, is written to use a very convenient mode of describing aspecialized set of tasks. For example, if a file system watcher acceptedexpressions in a language, that language is designed to incorporate wellproven useful idioms from other systems. Thus, in UNIX, wild cards *,[a-z], ? and related constructs are useful in efficiently describingproperties of file systems, for example, in referring to a largecollection of files with similar but not identical names. A file systemwatcher makes use of such a specialized idiom without impacting thedesign of the interfaces of other watchers in the community of watchers.

[1042] 5. Specialized scheduling algorithms. A watcher, because it isspecialized, is written to schedule execution of the specialized taskset that it addresses appropriately. For example, a file system watcheroperating in continuous watch mode follows a specialized schedulingalgorithm which is different from the algorithm used for a systemsettings watcher. In certain operating systems, for example, the filesystem itself maintains information about whether files or directorieschanged, which is used to defer evaluation of assertions because it isknown that the state of the assertions has not changed since theprevious evaluation.

[1043] 6. Specialization yielding security and privacy. A watcher,because it is specialized, is written to block certain dangerous orrevealing assertions. For example, a file system watcher has varioususer configurable security and privacy settings, enabling the user tocontrol the access to certain files or elements within files.

[1044] The collection of watchers is large. In addition to file systemwatchers and system settings watchers, files such as serial devicewatchers, printer watchers, and network watchers are provided.

[1045] Community of Watchers is the Same Invention

[1046] The community of watchers approach is a variation on theinvention. There are two ways to understand this point.

[1047] 6. As an implementation layer. Notice that in the invention, theinspector libraries have their actual implementations carried out byvariations of such specific watchers. For example, a file system watcheris built to watch various characteristics of various files. This is thenexploited by the advice reader, as follows: File related methoddispatches in the advice reader are implemented as queries to the filesystem watcher. The file system watcher answers each query and recordsthe query in its database of assertions. The next time the same dispatchoccurs, the file system watcher uses its specialized caching,scheduling, and optimizations to get the answer more cheaply, wherefeasible. In this way, the community of watchers is an implementationlayer for inspectors and the user interface/messaging software of thecommunity of watchers is the advice reader software.

[1048] As a variant implementation. Another way to see that thecommunity of watchers is a related invention is to notice that thefeatures which seem most attractive about the watcher approach, such asenabling specialized idioms for specialized tasks, are provided underboth approaches. The UNIX patterning idioms are implemented by creatinga named property of World referred to as located files which acceptsUNIX-style patterns as the name-specifier string. The fragment:

[1049] not exists Located files “*.mat” whose(creator of it is creator“MATLAB”)

[1050] which asks for a file in UNIX notation is provided within theinvention's language through an inspector for the plural propertylocated files UNIX-pattern.

[1051] Forest of Concerns as an Optimization Strategy

[1052] The community of watchers approach to state descriptionarticulates the concept of forest of concerns. Each interested authorformulates a concern about the state of the consumer computer, theseconcerns are relayed to the computer, and the state of the computer iscontinually reviewed and compared with those concerns.

[1053] From an efficiency and scheduling viewpoint, it is good toorganize the process of state description around the concept of a forestof elementary concerns rather than around the concept of relevanceclauses. Many pieces of advice may have as subclauses the exact samephrase, and it is inefficient to evaluate those subclausesindependently. For example, consider a pool of five pieces of advicewith relevance clauses making assertions about the directory AdobePhotoshop. The first is:

[1054] exists Folder “Brushes and Patterns” of Folder containingApplication “Adobe Photoshop 2.5”

[1055] The second is:

[1056] exists Folder “Calibration” of Folder containing Application“Adobe Photoshop 2.5”

[1057] The third is:

[1058] exists Folder “Color Palettes” of Folder containing Application“Adobe Photoshop 2.5”

[1059] The fourth is:

[1060] exists Folder “Plug-ins” of Folder containing Application “AdobePhotoshop 2.5”

[1061] The fifth is:

[1062] exists Folder “Third-Party Filters” of Folder containingApplication “Adobe Photoshop 2.5”

[1063] In each case, evaluation of the relevance clause requires theevaluation of the phrase folder containing Application “Adobe Photoshop2.5”. In short, these five clauses do the same work five times.

[1064] It is possible to organize things differently, with the surfaceexpressions being analyzed into a minimal collection of subexpressions.The collection of these subclauses are then watched in nonredundantfashion. More concretely, a pool of relevance clauses scheduled forjoint evaluation is parsed into its forest of associated expressiontrees. This collection of trees is analyzed into its maximal subtrees.Two subtrees are equivalent if they are literally the same, i.e. thesame method dispatches are applied to the same arguments, or arerearranged under valid applications of commutativity and associativityto be the same. An expression subtree is the child of another subtree ifthe associated expression occurs as a first level subexpression of theother associated expression.

[1065] A subtree is maximal if either:

[1066] (a) it has no parents, or

[1067] (b) if it has at least two parents and the parents areinequivalent expressions.

[1068] The following illustrates the concept with the pool of fiverelevance clauses illustrated above. The first parses into: (exists(Folder “Brushes and Patterns” (Folder-Containing (Application “AdobePhotoshop 2.5”) ) ) ) The second into: (exists (Folder “Calibration”(Folder-Containing (Application “Adobe Photoshop 2.5”) ) ) ) The thirdinto: (exists (Folder “Color Palettes” (Folder-Containing (Application“Adobe Photoshop 2.5”) ) ) ) The fourth into: (exists (Folder “Plug-Ins”(Folder-Containing (Application “Adobe Photoshop 2.5”) ) ) ) The fifthinto: (exists (Folder “Third-Party Filters” (Folder-Containing(Application “Adobe Photoshop 2.5”) ) ) )

[1069] Here, the five different relevance clauses are inequivalentbecause they name different properties. The collection of maximalexpressions consists of these five expressions, plus one propersubexpression:

[1070] (Folder-Containing (Application “Adobe Photoshop 2.5”)

[1071] )

[1072] A watcher organized around the maximal expressions operate in anonredundant fashion as follows:

[1073] 6. Parse all expressions in a collection of relevance clausesinto expression trees.

[1074] 6. Identify with unique labels those maximal subexpressions whichhave parents.

[1075] 4. Transform each expression tree into a new tree built fromreferences to its labeled maximal subexpressions.

[1076] When evaluating relevance, maintain extra storage, referred to asmaximal-subexpression value storage, which records the value of maximalsubexpressions for later use. When encountering a reference to a labeledmaximal subexpression, first check this storage to see if a value isalready recorded. If so, use the stored value. If not, evaluate thesubexpression, recording the resulting value in the storage.

[1077] In more detail, this works as follows: For the pool of fiverelevance clauses above, the maximal subexpression:

[1078] (Folder-Containing (Application “Adobe Photoshop 2.5”)

[1079] )

[1080] is associated with position one in maximal-subexpression storage.Transform a typical relevance clause by making appropriate references tothis storage. In the case of the first of the relevance clauses thisworks as follows: (exists (Folder “Brushes and Patterns”(Maximal-Subexpression 1 (quote (Folder-Containing (Application “AdobePhotoshop 2.5”) ) ) ) ) )

[1081] In summary, a wrapper referred to as Maximal-Subexpression isinserted around the identified maximal subexpression. This wrappermethod has a first argument which associates the subexpression tostorage index one, and a second argument which is a quoted-expression.This quoted expression is not evaluated prior to the invocation of thewrapper method. Instead it is parsed into an appropriate representationas an unevaluated data structure representing an expression forconditional evaluation which is to be passed to the wrapper method asdata. The wrapper method looks at location one to see if a value isstored there. If so, the wrapper method returns that value. If not, thewrapper method asks to evaluate the subexpression which it has beenpassed. Upon completion of the evaluation, it stores the value inlocation one of the maximal-subexpression storage.

[1082] Suppose that this relevance clause is the first evaluatedsubexpression in a given advice pool, evaluation of which results inevaluation of the subexpression and recording of the value of thesubexpression in position one of the maximal-subexpression storage.

[1083] Now consider the second item in the pool, in its transformedform: (exists (Folder “Calibration” (Maximal-Subexpression 1 (quote(Folder-Containing (Application “Adobe Photoshop 2.5”) ) ) ) ) )

[1084] Suppose this clause is evaluated after the previous clause. Thereis no evaluation of the maximal subexpression because the wrapper findsthat the subexpressions value is already recorded in storage.

[1085] It remains to discuss how one can identify maximal subexpressionsin a forest of expression trees. This is obtained by a tree/forestpruning algorithm. Define as a terminal form any method invocation whichdoes not depend on any other method evaluations for its value. Formally,it is either a named property of World (Application “Adobe Photoshop2.5”), an unnamed property of World (System-Folder), or a constant(string “xxxx”), (integer 1234).

[1086] The algorithm begins by scanning a pool of relevance clauses forall unique terminal forms. It associates to each unique terminal form alist of pointers to all locations in the pool where that form occurs.

[1087] The algorithm initializes a database of working subexpressionforms as the collection of all terminal forms, i.e. to begin with, theworking subexpression forms are the terminal subexpression forms. Theseare marked for evaluation at the next stage.

[1088] The algorithm proceeds in stages, each stage transforming theworking subexpression forms to a collection of parent forms. Thealgorithm stops when the working database is empty. At a given stage, ititerates through the collection of all working forms. For each form inthe working collection marked for study at this stage, it considers thecollection of all parent expressions of that expression. This isavailable because associated with a form is a list of pointers to itsoccurrences in the pool.

[1089] Among those parent method invocations, it identifies the uniqueforms, i.e. the unique combinations of method name and method argumentswhich have the given subexpression as a first level subexpression. Theseunique invocation patterns are referred to as parent forms. If there areno parent forms, the subexpression is deleted from the working database.If there is exactly one parent form, the subexpression is replaced inthe working database by its parent form, the parent form being markedfor processing only at the next stage, and the pointers to theoccurrences of the parent form being properly calculated, using thepreviously available pointers to the children occurrences.

[1090] If there is more than one parent form, then a new maximal form isrecognized. It is assigned a maximal-form ID number, and a wrappertransformation is made on each expression that references the form. Thatis, in all those expressions where the form occurs, a wrapper isinserted around the form according to the recipe:

[1091] (Maximal-Subexpression $ID# (quote $$))

[1092] where ID# is replaced by the ID number of the identifiedmaximal-form, $$ refers to the occurrence of the maximal-form itself,and the (quote) form is the means of preventing immediate evaluation, asdescribed above.

[1093] The working forms database is then expanded to include eachunique parent form of the recognized maximal-form, with the newly addeditems marked for evaluation at the following stage, and with a list ofpointers to the occurrences of each parent form in the advice pool.

[1094] At the conclusion of this algorithm, there is a collection oftransformed expressions in which maximal common subexpressions have beenidentified and where only nonredundant evaluation is performed.

[1095] The reader may wish to verify that the algorithm produces exactlythe desired result on the pool of five relevance clauses indicatedearlier.

[1096] Alternates to Binary Relevance Determination

[1097] The invention contemplates a situation where messages arrive andcomputations are performed to evaluate certain assertions with thegeneral goal of notifying the user about certain associated messages,where the timing, format, and other attributes of the notification,including the decision to notify or not, are influenced by the resultsof the specified computations. The broader notion of influencingrelevance appraisal may be implemented by a slight variation on thesystem described above.

[1098] The invention, in one embodiment, obtains appraisals of relevanceaccording to non-binary criteria. A well formed phrase in the relevancelanguage results in numerical values rather than Boolean values. BooleanTrue is viewed as equivalent to the numerical value1.0, and the BooleanFalse as equivalent to the numerical value 0.0. Suppose that certainclauses in a body of advice yield Boolean values, but other clausesyield numbers taking values between 0 and 1. A value between 0 and 1 isinterpreted as indicating a degree of relevance that lies intermediatebetween certain relevance and certain irrelevance. In one embodiment,the user interface presents to the user advisories graded according todegree of relevance, with those having value 1.0 at the top of the listand those having value 0.0 at the bottom. This type of variation,extending Boolean to Real, is well known under the name fuzzy logic.

[1099] In a different embodiment, the outcome of relevance determinationis a categorical label. In this embodiment, True and False are twolabels, and the user interface is keyed to display messages labeledTrue. However, there are labels, such as Attractive Offer or ChronicHousehold Situation Needing Eventual Attention. Such labels result fromevaluation of relevance clauses and, depending upon the user interfaceattached to the invention, such labels lead to different methods ofnotification or different methods of presentation than other kinds oflabels. The implementation of a centralized coordination authority suchas advisories.com offers a mechanism for publication and coordination ofsuch labels. The implementation of user side filtering allows the userto associate means of notification to various labels, which meansinclude the possibility of no notification.

[1100] In one embodiment of the invention, a layer of extra analysis isinserted between relevance appraisal and user interface. Thus, theresult of relevance computation may be filtered based on userpreferences and on observation of the user. Thus, the relevancecomputation, rather than determining uniquely the notification status ofmessages, influences the notification process. For example, a user sidefiltering method (see above) whereby a user suppresses the display ofcertain messages which are nominally relevant may be implemented. In oneembodiment, such censoring mechanisms are applied automatically. Anadvice reader or other application contains a module to observe userbehavior and make inferences about user preferences which can drive suchcensoring mechanisms. Similarly, in one embodiment, prioritizationmechanisms are applied automatically. An advice reader or otherapplication contains a module to observe user behavior and makeinferences about user priorities, so that among relevant messages thosewhich are more likely to be of interest to the user are displayedearlier or more prominently.

[1101] Alternate Message Formats

[1102] Alternate to MIME Wrappers

[1103] The disclosed preferred embodiment uses MIME, a well knownInternet standard, as a means of packaging advisories for transportacross the Internet and other digital transport media.

[1104] Another well known means for packaging textual information forremote interpretation is the XML language. This language also makespossible hierarchical messaging, and is able to accommodate messagecomponents of the types enumerated above.

[1105] There are many implementations of the basic arrangement disclosedherein. Whether using well known protocols such as MIME and XML orproprietary protocols, they constitute implementations of the invention.

[1106] Substitutes for Three-part Messaging

[1107] The invention is discussed in terms of a three-part message,containing humanly interpretable information, a relevance clause, andcomputer interpretable information. These three logically connectedcomponents need not be packaged in the same physical message. Thereneeds to be only an association between these parts. For example, theASUP protocol sends abstracts containing only message identifiers andthe relevance clause separately from the message body, consisting ofexplanatory content, software, and references. Under ASUP, relevanceevaluation drives a second reader-server interaction, where theassociated message body is obtained. In other implementations, an evenlooser association between relevance clause and content is maintained,where a relevant result initiates exploration of a whole sequence ofmessages.

[1108] Substitutes for Relevance Language

[1109] The relevance language is a convenient means of describing thestate of a consumer computer and its environment. However, otherlanguages can be modified into forms which enable computed-relevancemessaging.

[1110] JAVA Model

[1111] The JAVA programming language is a well known and widelyavailable tool for specifying computations.

[1112] In one embodiment of the invention, the role of the relevancelanguage is played using software tools implemented in the JAVAprogramming language. Owing to the popularity of JAVA this might findwide acceptance among software developers and other computerprofessionals.

[1113] In the currently understood best method of developing thisimplementation, a special variant of JAVA, RELEVANCE-JAVA is developed,with its own specialized resources and evaluated by a specializedvariant of the JAVA machine. The intent of this special version is toprovide some of the same privacy and security characteristics as therelevance language described earlier. RELEVANCE-JAVA supplies threespecific features which make it very useful:

[1114] Specialized inspector libraries. Special JAVA objects and classesdeveloped to enable the determination of properties of the consumercomputer. These inspect file system, system settings, and relatedproperties of the computer and its environment. This is effected byturning on certain features in the JAVA virtual machine which enableaccess of machine characteristics.

[1115] Privacy Restrictions. While RELEVANCE-JAVA is able to learn agreat deal about the user machine, it does not have the ability totransmit any gathered information back to the author. This is effectedby limiting the installed objects and classes and turning off certainfeatures in the JAVA virtual machine.

[1116] Security Restrictions. While RELEVANCE-JAVA is able to learn agreat deal about the user machine, it does not have the ability tomodify the machine, i.e. to modify files and to affect the systemsettings.

[1117] The three part messaging model described above is conducted asfollows: One part consists of humanly interpretable explanatory content;one part consists of RELEVANCE-JAVA code specifying conditions underwhich a message becomes relevant on certain consumer machines; and onepart of computer interpretable code, perhaps in a different dialect ofJAVA, able to cause effects on the consumer machine after consumerapproval.

[1118] Visual Basic Model

[1119] The Visual Basic programming language is a well known and widelyavailable tool for specifying computations.

[1120] In one embodiment of the invention, the role of the relevancelanguage is played using software tools implemented in the Visual Basicprogramming language. Owing to the popularity of Visual Basic this findswide acceptance among software developers and other computerprofessionals.

[1121] In the currently understood best method of developing thisimplementation, a special variant of Visual Basic, RELEVANT-BASIC isdeveloped with its own specialized resources and evaluated by aspecialized variant of the Basic interpreter. The intent of this specialversion is to provide some of the same privacy and securitycharacteristics as the relevance language described earlier.RELEVANT-BASIC supplies three specific features which make it veryuseful:

[1122] Specialized inspector libraries. Special Visual Basic functionsand data types are developed to enable the determination of propertiesof the consumer computer. These have the ability to inspect file system,system settings, and related properties of the computer and itsenvironment.

[1123] Privacy Restrictions. While RELEVANT-BASIC is able to learn agreat deal about the user machine, it does not have the ability totransmit any gathered information back to the author. This is effectedby limiting the installed objects and classes and turning off certainfeatures in the BASIC interpreter.

[1124] Security Restrictions. While RELEVANT-BASIC is able to learn agreat deal about the user machine, it does not have the ability tomodify the machine, i.e. to modify files and to affect the systemsettings.

[1125] The three part messaging model is conducted as follows: One partconsists of humanly interpretable explanatory content; one part consistsof RELEVANT-BASIC code specifying conditions under which a messagebecomes relevant on certain consumer machines; and one part of computerinterpretable code, perhaps in a different dialect of Visual Basic, ableto cause effects on the consumer machine after consumer approval.

[1126] UNIX Model

[1127] The UNIX Shell, in its variant implementations, may be viewed asa scripting language, a well known and widely available tool forexamining properties of a file system and specifying computations.

[1128] In one embodiment of the invention, the role assigned to therelevance language is instead played by software tools implemented inthe UNIX shell and associated UNIX Tools. Owing to the popularity ofUNIX in its variant forms, this might find wide acceptance amongsoftware developers and other computer professionals.

[1129] In the currently understood best method of developing thisimplementation, a special variant of the UNIX Shell, RELEVANT-Shell isdeveloped with its own specialized resources and evaluated by aspecialized variant of the Shell interpreter. The intent of this specialversion is to provide some of the same privacy and securitycharacteristics as the relevance language described earlier.RELEVANT-Shell supplies three specific features which make it useful:

[1130] Specialized inspector Applications. Special applications aredeveloped to enable the determination of properties of the consumercomputer. These have the ability to inspect file system, systemsettings, and related properties of the computer and its environment.These are known to RELEVANT-Shell.

[1131] Privacy Restrictions. While RELEVANT-Shell is able to learn aboutthe user machine, it does not have the ability to transmit any gatheredinformation back to the author. This is effected by disabling access tocertain communications and networking features in the shell interpreter.

[1132] Security Restrictions. While the applications reachable throughRELEVANT-Shell are able to learn about the user machine, they do nothave the ability to modify the machine, i.e. to modify files and toaffect the system settings, except through standard mechanisms, such ascreating temporary files in standard locations such as tmp and subjectto resource metering.

[1133] The three part messaging model is conducted as follows: One partconsists of humanly interpretable explanatory content; one part consistsof RELEVANT-Shell code specifying conditions under which a messagebecomes relevant on certain consumer machines; and one part ofcomputer-interpretable code, perhaps in a different dialect of Shell orother UNIX-interpretable code, able to cause effects on the consumermachine after consumer approval.

[1134] Alternate State Description

[1135] The possibility of alternate methods of describing the state ofthe consumer computer is described above. It is possible to describe thestate without using an overall relevance language if one has available acommunity of watchers, each with their own peculiar interfaces. Therelevance language is then replaced by whatever means of expression bywhich the said application modules are invoked and controlled.

[1136] Relevance-mediated Processes

[1137] The description of the invention has taken the stance that thepurpose of relevance evaluation is to mediate the decision to notify aconsumer about the existence of a message. To that end, the advicereader application functions as a messaging center, and advisories playa role analogous to messages in e-mail, USENET news, and other messagingmodalities, in that they are read by the user as part of a user definedschedule. In this viewpoint, the user is a manager of his computer, hisproperty, and his affiliations, and he reads advice which helps him withhis concerns in that managerial role.

[1138] However, there are other non-managerial settings in whichrelevance can drive the presentation of information to a consumer as anintegral part of certain other processes in which the consumer isengaged.

[1139] Guidance. The consumer is the user of a computer applicationsprogram, and relevance based messaging provides guidance to the consumerat the moment before performing a certain action or at the moment afterperforming a certain action.

[1140] Composition. The consumer is reading a document using a displayapplication on the computer, and relevance based content adaptationshapes the document so that the humanly interpretable message targetsdirectly the characteristics of the reader.

[1141] In fact, all such applications are embodiments of the invention.Computed relevance messaging is of value much more broadly than in themanagerial mode described above.

[1142] Relevance-guided Computer Interaction

[1143] The following is an example showing how an advisory is used toguide a user in the operation of a piece of software.

[1144] Consider the following problem: A certain dangerous e-mailmessage has been obtaining wide distribution. When received by a userwith the e-mail program Eudora 4.0, the user sees an innocent lookingmail message including an attachment with an invitation to the user toopen the attachment. The attachment is actually a maliciously prepareddocument which, if opened, can cause damage to the user's computer.

[1145] The discussion below describes one implementation of relevancebased messaging which helps to deal effectively with this situation.Under that implementation, an author writes an advisory which isevaluated for relevance before a user of Eudora opens an attachment. Therelevance clause inspects various attributes of the contemplated actionand precisely targets an attempt to open an attachment with certainattributes. The advisory then returns text to the mail application whichthe mail application displays to the user.

[1146] In one embodiment, the desired effect may be produced using aninter-application communication framework as follows:

[1147] The mail reader application has a special collection of relevanceevaluation events, i.e. predefined events which are well known toauthors of advisories.

[1148] Whenever one of these events occurs, the mail reader notifies theadvice reader of the event via a standard event notification protocol.

[1149] The advice reader maintains event pools, i.e. advisories intendedfor evaluation upon receiving notice of certain events.

[1150] The advice reader evaluates the advisories in an event pool uponreceiving notice of the corresponding event.

[1151] The advice reader notifies the user of a relevant message byeither:

[1152] Notifying the user of the application directly, employingstandard user interface devices of the advice reader; or

[1153] Sending the relevant messages to the mail reader. The mail readerthen displays those messages for the user, according to the userinterface standards of that application.

[1154] The choice between these methods of notification is made underthe control of user preferences, author preferences, or applicationdefaults.

[1155] This event-driven framework is particularly powerful when:

[1156] The application sending an event signal includes descriptiveinformation about the event. In the mail reader context, the eventEudora About to Open Attachment is accompanied by information about thesender of the mail, information about the name of the attachment file,information about the sender of the mail, and information aboutattributes of the attachment file.

[1157] The advice reader contains an inspector library which refers toproperties furnished by the application, e.g. mail sender and file name.

[1158] In this context, if someone wants to warn every user receivingmail from king@athens.gr with an attachment named trojan.txt that heshould not open the attachment, it is possible to author a relevanceclause targeting the advisory to those people about to open such anattachment. The routing of advisories to advice event pools is handledthrough the header line mechanism of MIME and the message linevariations discussed above. A simple header line of the formadvice-event-pool:, followed by the name of a predefined advice event,indicates the desired routing.

[1159] Relevance-adapted Communication

[1160] The following is an example showing how relevance is used tocustomize the distribution of a body of information (see FIG. 19):

[1161] Consider the following problem: A certain publisher wants tocreate an electronic document whose content is tailored to the reader,for example because it consists of advertising which is more suitablefor some readers than others, or because it consists of technicalinformation which is more suitable for some readers than others.However, an ideal customization requires intimate knowledge of theconfiguration and details of the consumer's preferences, possessions,and affiliations, information which is not likely to be made availableby consumers.

[1162] The discussion below describes an implementation of a systemusing the relevance evaluation components of invention. Thisimplementation allows the publisher to create relevance adapteddocuments, allowing solution of the problem. The publication isdistributed as a digital document containing embedded within itreferences to many possible variations in content. The selection amongpossible variants is driven by relevance clauses. The components of thedocument that actually appear on the users display are those which areselected based on intimate knowledge of the characteristics of the user.

[1163] The following is one implementation of such a system: A certainbase document processing target format is chosen. Suppose forconcreteness this is HTML. A special source format is then defined,consisting of documents. In the present context, this is referred to asPRE-HTML. This source format 194 offers the possibility of arrangingmany hierarchically nested fragments of modified HTML in a linear order.Each component of such an arrangement is protected by one or morerelevance clauses. The components of the source format differ from HTMLin that they also offer embedded include expressions from the relevancelanguage.

[1164] The advisory author writes the document with relevance clausesand inspector clauses 191. To create a custom document for a specificuser, the source format document is transported to the user computer192, and the document in source format is compiled into a custom targetformat document 195. The target format document is then processed by theintended target document processing system, producing a display of acustomized document 193.

[1165] The compilation step is the step where the customization occursand bears closer examination. As the source document is processed,various components are encountered. Those which are protected byrelevance clauses which evaluate to False or at any rate not to True arediscarded. They do not appear in the final target format file. Thosewhich are protected by relevance clauses which evaluate to True areretained. They do appear in the final target format file. Each retainedcomponent is processed before placement in the target document file. Ifany include expressions are identified in the file, then thoseexpressions are evaluated, and the results are interpolated into thetarget document file.

[1166] This solves the problem of customized document preparationbecause the relevance language enables the provider to prepare documentswhich are customized as if the author had access to detailed intimateknowledge of properties of the consumer's computer and environment, butit does so without the need for the consumer to reveal that intimateinformation to the provider.

[1167] This embodiment of the invention posits a provider withinformation which is presented to various consumers in precisely definedcircumstances, and it uses the relevance guarded messaging modeldescribed above. Here, the gatherer, the watcher, and the notifier havedifferent structure than they do in the invention as described above,but at an abstract level their functions are similar. For example, thetool which compiles a source format document into a target formatdocument plays the role of both watcher and notifier in the five-partmodel discussed above, while the target document processing system playsthe role of user interface for the notifier. The role of gatherer isplayed by whatever system or systems bring the source format documentinto the consumer environment.

[1168] There are privacy considerations in this sort of customizeddocumentation. The use of HTML as a target language, for example, meansthat there is a possibility of leaks.

[1169] Other implementations of relevance driven document customizationare possible. For example, one could develop a system in which thesource document is not compiled once and for all into a target documentin a well known format but, rather the source document is structured forinteractive interpretation. The following is an example: A sourcedocument consists of many pages of PRE-HTML. Embedded in the sourcedocument are conditional compilation blocks protected by relevanceclauses, and include expression substitutions using the relevanceclauses, as described before. As the viewer goes through the documentfrom page to page, each page is compiled from PRE-HTML to HTML anddisplayed as needed. Under this model, the user's path through thedocument is determined only at run time. For example, certain links inthe document are relevance protected. The relevance expressions refer toattributes of the environment that are changing as the reader progressesthrough the document, i.e. they are changing because the reader isprogressing through the document. For example, a reader is prompted forinformation as part of his reading of the document and, as a result ofthe prompt, a site profile variable changes, causing pages visited laterin the reading to change as a result.

[1170] Remote Access to Personal Information

[1171] The invention makes it possible for an advisory author to targetsituations based on an arbitrary combination of computationallyverifiable conditions of the consumer computer and its environment. Thisenvironment may include data which may be of a personal nature. To theextent that certain kinds of personal data may be widely assumed toexist in a standard format on a substantial population of personalcomputers this creates the possibility of the invention being used toadvise a substantial population of individuals on issues of a personalnature. Natural applications areas include:

[1172] Personal Finance: If information about individual financialassets is assumed to exist on the consumer computer or in itsenvironment in a standard format on a large collection of consumercomputers, then advice authors can provide a large body of individualstimely and relevant advice about their bank account management or abouttheir investment portfolio.

[1173] Personal Health Issues: If information about individual medicalrecords is assumed to exist on the consumer computer or in itsenvironment in a standard format on a large collection of consumercomputers, then advice authors can provide a large body of individualstimely and relevant advice about drug interactions, or aboutinteractions between genetic or blood type information and drugs.

[1174] This creates an unprecedented opportunity, i.e. the ability tooffer highly targeted advice without compromising individual privacy.Although the advice author is authoring detailed assertions about thefinances or health of the consumer, and although it requires intimateknowledge of sensitive personal information to evaluate thoseassertions, the system itself is not revealing this information back tothe author. The consumer may, in some circumstances, choose to revealsuch information after reading a relevant advisory.

[1175] Such applications are limited by the need for consumers tocapture and maintain accurate data in a standard format about itemswhich concern the consumers and which are accessible in a means wellknown to advice providers. It would be highly desirable to remove thedata management and data input burden under this arrangement, so thatconsumers are not required to become data managers. In particular, itwould be highly desirable for the professional organizations responsiblefor maintaining accurate data about their customers to be the locus ofresponsibility for data integrity. For example:

[1176] Pharmacies maintain records about their customers.

[1177] Doctors maintain records about their patients.

[1178] Financial institutions maintain records about their clients.

[1179] These actors are paid, in part, for keeping accurate and timelyrecords about their patients, customers, or clients.

[1180] It would be highly desirable for consumers to have access to somekey information that is maintained for them by the professionalorganizations with which they are affiliated. For example:

[1181] Instead of a consumer entering into his computer data about hisdrug prescriptions, it would be desirable for the needed data to beobtainable from the pharmacy automatically on demand by the consumercomputer.

[1182] Instead of a consumer entering into his computer data about hisstock portfolio and manipulating it daily, it would be desirable for anyneeded data to be obtained from the financial institution automaticallyon demand by the consumer computer.

[1183] Instead of a consumer entering into his computer data about hishealth records and manipulating the data as they change, it would bedesirable for any needed data to be obtained from the medicalinstitution automatically on demand by the consumer computer.

[1184] The following is a solution to this problem using the invention:

[1185] A standard collection of remote medical records inspectors,remote financial records inspectors, and remote drug prescriptioninspectors is developed, and their syntax and use is published. Theseinspectors have both server side components and client side components,to be described later.

[1186] Advice authors write advice concerning various issues associatedwith such personal information.

[1187] Certain doctors, financial institutions, and pharmacies installserver side components at computers in their offices. They advertise tothe public the availability of remote information access.

[1188] The consumer who is interested in benefiting from advice writtenusing remote information access approaches the financial institution,doctor, or pharmacy and authorizes participation of his own informationin the server software.

[1189] The consumer subscribes to certain advice sites whose adviceincludes advice making use of the remote inspectors. The subscription isinitialized appropriately so that the consumer computers advice readermake use of the information.

[1190] Such advice is periodically evaluated according to the advicepool in which the advice is placed. Evaluation causes the consumercomputer to establish connections to remote computers to obtain neededinformation. For example, the remote drug prescription inspector libraryon the consumer machine establishes a connection with the pharmacyinformation server and performs certain queries to check if the consumerhas certain problematic prescription combinations.

[1191] The following is an example of an advisory that is written usingthis system: Suppose that a certain pharmaceutical manufacturer providesan antidepressant drug to its patients, and that it is discovered thatpatients who also use a certain anti-inflammatory may experiencedifficulties. In practice, one prescription might be due to apsychiatrist and the other by an orthopedist who might not be aware ofthe patient's other medical prescriptions. The manufacturer authors anadvisory referring to the dangerous combination as follows:

[1192] exists pharmacy prescription “Xanax” and exists pharmacyprescription “Buterin”

[1193] The manufacturer includes a description of the potentiallydangerous combination for a message body. When the advice reader on theconsumer computer encounters this relevance clause, it contacts thepharmacy server with queries for pharmacy prescription Xanax andpharmacy prescription Buterin. It determines the relevance of theadvisory based on this. It notifies the consumer of the situation if itturns out to be relevant.

[1194] An important issue in determining the consumer acceptance of thissystem is the ability of the system to protect consumer privacy. To thisend, the interaction between client and server is carefully protected:

[1195] The connection between consumer client and pharmacy server issecured by standard cryptographic means (e.g. SSL protocol).

[1196] The identity of the client requesting the information isauthenticated by the pharmacy server by standard cryptographic means.

[1197] By these devices, the pharmacy server avoids revealinginformation about a person except to the advice reader on that person'scomputer. The advice reader on that person's computer does not revealinformation so received, at least under ordinary operations.

[1198] The following is a convenient interaction protocol for suchremote inspectors. In this protocol, it is simple to make the clientside software. The client transmits, over a secure link, ASCII stringsdescribing the queries exactly as they are described in the surfacelanguage. In the above example, the client transmits pharmacyprescription Xanax.” The server parses this using a miniature version ofthe relevance clause parser evaluator. The server knows that this clauserefers to the prescription records of Joseph A. Patient because of theinitial authentication work and, using standard database inquirymethods, searches the pharmacy database for an entry indicating that Mr.Patient had a pharmacy prescription to Xanax. The server then returnsTrue or False as an ASCII string, and the client parses this string andreturns the corresponding Boolean to the advice reader.

[1199] Bi-directional Communications

[1200] An intent of the invention is to allow only one waycommunication, taking information from advice provider to adviceconsumer, but not allowing information to leak back from consumer toprovider. The phrase one way membrane evokes this.

[1201] However, there are numerous situations where this model isrestrictive. For example, in certain situations consumers are willing tocooperate with providers, particularly when they receive a benefit fromcooperating. An example is when consumers want to get technical supportto solve a specific problem which existing advisories do not address.For the sake of solving their problem, they are willing to disclosevarious pieces of information about their configuration to the solutionprovider. In other situations, advice consumers subscribing to a certainsite are actually employees of the organization which operates theadvice site, and so they are willing to share information with thatparticular advice provider.

[1202] Open Bi-directional Communications

[1203] The phrase open bidirectional communications refers to a settingwhere the invention is run and the communications are typically one way,but occasionally there are processes which feed back information to theadvice provider, and the process takes place in the clear with theconsumer computer identity explicitly available to the provider.

[1204] Questionnaires

[1205] In one implementation (see FIG. 20), a particular document typeis defined, referred to as a questionnaire 200, containing text togetherwith comments, together with distinguished Include-Expressions. Suppose,that Include-Expressions are delimited by double Dollar Signs as in $$.The Include-Expressions are written in the relevance language, and neednot evaluate to True or False. For example, they are string- orinteger-valued. Suppose also that comments are preceded by %-signs.

[1206] An example questionnaire is:

[1207] % Data needed by ABC Corporation to

[1208] % Diagnose the XYZ Problem

[1209] Inventory of User Computer Configuration:

[1210] Computer Manufacturer: $$ Manufacturer of Computer $$

[1211] Model: $$ Model of Computer $$

[1212] OSVersion: $$ version of Operating System $$

[1213] RAM: $$ System Ram $$

[1214] Disk: $$ size of boot volume $$

[1215] This questionnaire contains text, such as computer manufacturer,as well as Include-Expressions, such as manufacturer of computer. Theintent of the questionnaire is that information about the type ofcomputer and about certain features be collected by the advice readerusing its rich library of inspectors.

[1216] The following is an example showing how questionnaires are used:A questionnaire such as that above is authored by an advice provider 200and is inserted inside the solution component of an advisory as a MIMEcomponent with distinctive content-type 201. The consumer sees arelevant advisory 202, accompanied by humanly interpretable content. Thehumanly interpretable content says:

[1217] You have the XYZ situation. In order to help you, we at ABC Corp.need some information about this situation—information about your systemsetting. This information can be automatically gathered for you ifyou'll push the button on the left below. You'll be given a chance toreview the information and then to approve its transmission to ABC Corp.

[1218] Below the advisory are two buttons: one saying Gather informationand the other saying Review Request. The first button signifies approvalto gather the information; the second button signifies a request to viewthe source file of the questionnaire and thereby learn more about theprovider's request to gather data.

[1219] If the user approves 203, the relevance clauses in thequestionnaire are evaluated 204, for example using various inspectors205, 206, and the corresponding results are included in the result wherethe relevance clauses had been. In the case of the previous example,this process produces:

[1220] % Data needed by ABC Corporation to

[1221] % Diagnose the XYZ Problem

[1222] Inventory of User Computer Configuration:

[1223] Computer Manufacturer: Toshiba

[1224] Model: T1200

[1225] OSType: Windows 98

[1226] OSVersion: 1.0

[1227] RAM: 64M

[1228] Disk: 2G

[1229] The user may be shown the results of the include process andgiven a chance to inspect the results and to relay the results to theadvice provider. In one implementation, the results are presented to theuser as part of a mailer window, showing the intended recipient of thisinformation 207, and with a button at the bottom marked Send It 208.

[1230] By this device, the relevance language simplifies communicationsbetween advice provider and advice consumer, allowing inspectors togather information needed by the advice provider that is difficult forconsumers to gather for themselves. The provider is helped because itquickly and accurately obtains information that may be essential in thetechnical support process, and the customer is helped because theprocess removes a burden which he would have had of finding the correctdata and of reporting it accurately.

[1231] For this method to work it must have consumer acceptance.Consumers are sensitive to the possibility of questionnaire spoofing,where a questionnaire purports to gather information of one kind, e.g.CPU type, while actually gathering information about another kind, e.g.VISA card number or passwords.

[1232] One technique to further consumer acceptance is for a privacyratings service at a central site to certify questionnaires as being inaccord with privacy standards when they are appropriate implementationsof the randomized response protocol. Under existing Web protocols (seeKhare, Rohit (1997) Digital Signature Label Architecture, The World WideWeb Journal, Summer 1997, Vol. 2, Number 3, pp. 49-64, Oreilly,Sebastopol, Calif., http://www.w3.org/DSIG) there is a method for theestablishment of ratings services which can reliably certify thatcertain messages have certain properties. The credibility of suchassertions, i.e. that they are actually made by the service and not byan impostor, is based on deployment of standard authentication andencryption devices. Applying this technology, a privacy ratings serviceis established at a central site, e.g. Better Advice Bureau.org, tocertify that certain questionnaires gather information in a fashiongenerally accepted as appropriate for the advertised task, and theinformation is used by the solicitor in a manner to protect individualidentity. Advice authors seeking certification of the privacy respectingcharacter of their questionnaires submit those messages to thecertification authority, which studies the messages and, at its option,agrees to certify some of those messages as privacy respecting. In oneembodiment of the invention, the user interface of the advice reader orsimilar component is configured to permit questionnaires to be displayedto users only when they have been credibly certified by a trustedprivacy ratings service.

[1233] Mandatory Feedback

[1234] In one embodiment of the invention (see FIG. 21), open two-waycommunication is possible for the purposes of maintaining a relationshipwith a certain trusted provider.

[1235] This assumes a consumer situation different from the usualinvention setting. In this variant setting, certain kinds of adviceproviders enjoy a special status, for example as employers orcontractors, which allows them certain coercive privileges notordinarily enjoyed by advice providers in other settings. These overlordadvice sites 210 publish advisories that are gathered by a reader 211,which then performs a relevance evaluation on the advisory 212. Relevantmessages are displayed 213 to the user and the user may approve or denysuch action 214 as recommended by the advisory. A feedback path 216enables user actions to be reported 215 to the overlord advice site

[1236] In this embodiment, any of the following options may beexercised:

[1237] Certain advice site subscriptions are mandatory;

[1238] Certain advice cannot be deleted by the user, advice by certainproviders is not subject to user scheduling, prioritization, ordeprecation;

[1239] Certain advice generates automatic feedback from the user to theprovider, concerning some or all of:

[1240] (a) The consumer computer's identity;

[1241] (b) The relevance status of a certain advisory on that computer;and

[1242] (c) The fact that a user has/has not taken a certain recommendedsolution in a certain advisory.

[1243] The feedback is transmitted by e-mail or by other convenientelectronic means.

[1244] In this setting, a manager of many computers can:

[1245] (1) write advisories destined to many machines he is managing;

[1246] (2) expect that the machines all receive the advisory; and

[1247] (3) expect to receive, in return, information about the relevanceand/or solution status of the advice on all those machines.

[1248] This set of functions may be implemented by modifying the basicadvice reader architecture discussed above (see FIG. 22).

[1249] Advice sites 220 may be given a special overlord status (asdiscussed above in connection with FIG. 21) by configuring thesubscription manager of the advice reader to enable such special status.

[1250] A new message line type, Mandated-Action, is instituted and isused by advice sites with overlord status to label a message componentwith a special keyword phrase as invoking a certain coercive privilege:

[1251] Not user deleteable labels a message as not deletable by the userthrough the advice reader user interface 221;

[1252] On relevance 222, Evaluate questionnaire 223 and mail back 224labels a message as requiring immediate notification 225 of the authorvia a feedback path 226 upon relevance, the notification involving firstprocessing of a questionnaire filling in the various include fields andsecond transmitting the information to the author;

[1253] Mail back on user acceptance labels a message as requiringimmediate notification of the author upon user accepting a proposedaction by selecting the action button of an associated advisory;

[1254] Mail back on user refusal labels a message as requiring immediatenotification of the author upon user accepting a proposed action byselecting the action button of an associated advisory. The advice readeris modified in the appropriate way to carry out the indicated functionwhen a message with overlord status is received and processed.

[1255] Masked Bi-directional Communications

[1256] It is possible to enable bidirectional communications whilepreserving some degree of privacy protection by masking the identity ofthe respondent.

[1257] Masking Via Anonymous Communications and Privacy Ratings

[1258] In one implementation (see FIG. 23), an advice provider 231obtains detailed information from consumer computers while communicatingwith consumers anonymously, thus enabling consumers to protect their ownprivacy. This embodiment of the invention limits the scope ofcommunications so that when messages return to the advice provider:

[1259] Message headers contain no information uniquely identifying therespondent;

[1260] Message bodies themselves contain no information uniquelyidentifying the respondent; and

[1261] The process has these components:

[1262] An advice provider 231 authors a document such as a questionnaireas described above, for gathering information automatically or an HTMLform for gathering information by consumer interview. The user's advicereader 232 gathers this information.

[1263] Upon determining relevance 233:

[1264] If the document is a questionnaire, the advice reader fills inthe appropriate include fields.

[1265] If the document is an HTML form, the consumer fills in theappropriate survey questions.

[1266] The document is e-mailed to the provider via anonymous routingalong feedback paths 235, 236 through a certain centralized site, e.g.the Better Advice Bureau, advisories.com, or another site 230 offeringidentity protection via anonymous remailer or functionally equivalentservices.

[1267] The final stage of this process removes information about theidentity of the consumer, by stripping such identity from the messageheaders. Consumers are expected to have confidence in the fundamentalvalidity of this approach because they understand that the centralizedsite has an incentive to protect the integrity of the process.

[1268] The consumer himself is responsible for ensuring that the messagebody is free of identifying information. For example, if the consumerresponds to an HTML form asking for his name and address, then he is notprotecting his own identity. If the consumer forwards a questionnairecontaining identifying information, such as IP address, then he is notprotecting his own identity.

[1269] In one implementation, the consumer protects his privacy with thehelp of a privacy ratings service at a central site. Under existinginternet protocols (see Khare, Rohit, Digital Signature LabelArchitecture, The World Wide Web Journal, Vol. 2, Number 3, pp. 49-64,OReilly (1997) http://www.w3.org/DSIG) there is a method for theestablishment of ratings services which reliably certifies that certainmessages have certain properties. The credibility of such assertions,i.e. that they are actually made by the service and not by an impostor,is based on deployment of standard authentication and encryptiondevices. Applying this technology, a privacy ratings service isestablished at a central site, e.g. Better Advice Bureau.org, to certifythat certain questionnaires do not contain devices soliciting sensitiveinformation. Advice authors seeking certification of the privacyrespecting character of their messages submit those messages to thecertification authority which studies the messages and, at its option,agrees to certify some of those messages as privacy respecting. In oneembodiment of the invention, the user interface of the advice reader orsimilar component is configured to permit questionnaires and forms to bedisplayed to users only when they are credibly certified by the privacyratings service.

[1270] Masking Via Randomized Response

[1271] In one implementation, an advice provider obtains detailedinformation from consumer computers while enabling consumers to protecttheir own privacy. This embodiment of the invention limits the scope ofcommunications so that when messages return to the advice provider:

[1272] Message bodies themselves contain no information which can bereliably inferred to reflect the true state of the consumer's computeror environment.

[1273] In certain embodiments, the technique is supplemented by the useof centralized anonymous communications and centralized privacycertifications.

[1274] The process has these components:

[1275] An advice provider authors a document similar to a questionnaireas described above, for gathering information automatically, howeverobeying additional constraints.

[1276] The advice reader fills in the appropriate include fields,randomly changing the answers, and changing the correct answers toincorrect answers, depending on a random mechanism.

[1277] The resulting document is returned to the author.

[1278] In one implementation, the process by which the information isreturned is made anonymous. The document is addressed to a certaincentralized site, e.g. the Better Advice Bureau, or advisories.com, oranother site offering identity protection via anonymous remailer orfunctionally equivalent services. This final stage of this processremoves information about the identity of the consumer by stripping suchidentity from the message headers.

[1279] The following discussion describes the concept of randomlychanging the answers in more detail: Suppose that only questionnaireswith Boolean values are allowed, although more general questionnairesare allowed with extra work. The relevance evaluation component of theadvice reader evaluates the Boolean expressions indicated in the includefields. However, it does not always insert the result in the outgoingmessage. Refer to R as the value obtained by relevance evaluation.Instead of always substituting a representation of R in place of theinclude field, the advice reader conducts a two stage stochasticexperiment. At the first stage, it obtains a random Boolean X from arandom number generator, the random Boolean being equally likely to beTrue of False. The value of X is kept private, and drives a decision atthe first stage. In this decision, if X is True, the decision is takento insert a representation of R in the include field. If X is False, thedecision is taken to obtain a second Boolean Y, again equiprobable, andto insert a representation of Y in the include field. As a result, inany specific message, it is impossible to say whether the answerobtained at the relevance evaluation stage (R) is True or False on thebasis of that message alone because the reported value is equally likelyto be R or Y, and the variable X driving the choice between R and Y isnot divulged.

[1280] This provides a degree of privacy protection for the consumer.

[1281] At the same time, this randomized response communicationsprotocol makes it possible for the questionnaire author to obtaininformation reliably about the population of users while not revealinginformation about specific users. If π denotes the fraction of users inthe sample with a certain characteristic, and p denotes the fraction ofTrue responses received, then:

E(p)=¼+π/2

[1282] where E(·) denotes mathematical expectation.

[1283] From p≈E(p) (the law of large numbers), π can be estimated by:

{circumflex over (π)}=2(p−¼).

[1284] For example, if 61% of the responses are True, one estimates that72%=2(61%-25%) of the sample has the given characteristic.

[1285] There are extensions of the method to non-Boolean variables andto multiple item responses.

[1286] For this method to work it must have consumer acceptance. Onetechnique to further consumer acceptance is for a privacy ratingsservice at a central site to certify messages as being in accord withprivacy standards when they are appropriate implementations of therandomized response protocol. Under existing internet protocols (seeKhare, Rohit, Digital Signature Label Architecture, The World Wide WebJournal, Vol. 2, Number 3, pp. 49-64, Oreilly (1997)http://www.w3.org/DSIG) there is a method for the establishment ofratings services, which reliably certifies that certain messages havecertain properties. The credibility of such assertions, i.e. that theyare actually made by the service and not by an impostor, is based ondeployment of standard authentication and encryption devices. Applyingthis technology, a privacy ratings service is established at a centralsite, e.g. Better Advice Bureau.org, to certify that certainquestionnaires use randomized response techniques appropriately andprotect individual identity. Advice authors seeking certification of theprivacy respecting character of their messages submit those messages tothe certification authority which studies the messages and, at itsoption, agrees to certify some of those messages as privacy respecting.In one embodiment of the invention, the user interface of the advicereader or similar component is configured to permit questionnaires andforms to be displayed to users only when they have been crediblycertified by the privacy ratings service.

[1287] Network Management

[1288] The following discussion describes two important variations ofthe basic invention which are useful in problems of network management,i.e. management of large networks of computational devices.

[1289] Mandatory Advice

[1290] In the basic description of the invention, it is assumed thatadvice is offered as a convenience to a human consumer who acts in amanagerial role to read and act appropriately at his option (see FIG.24).

[1291] There are settings where the basic communications model describedearlier can be usefully modified so that there is no user review ofcertain advisories. As an example of one such setting, a networkadministrator 240 supervises a large network of communicatingcomputational devices, each one in a potentially different anddynamically changing state. The network administrator wants certaindevices to perform a certain operation, but does not know which devicesthose are.

[1292] In this setting, it is valuable to have an advice reader program241 which obtains and reviews 242 advisories, but which automaticallyapplies the indicated solution operator 244 when relevance 243 isdetermined. This enables the network administrator to write a generaladvisory targeting many machines but not knowing in advance whichmachines those turn out to be, and obtain the desired functionality onthose machines. A solution or communications log 245 may optionally bemailed back to the network administrator via a feedback path 246.

[1293] Examples of scenarios where this functionality is useful include:

[1294] Target all machines whose security settings do not match acertain administrator defined standard. Reimpose the required settingson all such machines.

[1295] Target all machines with a copy of a certain file. On suchmachines, replace the file with an updated version.

[1296] Target all machines which have less than a certain amount of freespace on local disk. On such machines, purge the tmp volume.

[1297] Other examples can be supplied, including examples outside thetechnical support application. For example, in a setting where officeappliances are computational devices, network management involves tasksconcerning the maintenance and monitoring of assets and their use.

[1298] In the currently understood best implementation of thisvariation, there are several changes to the invention:

[1299] The advice reader is implemented as a faceless application withno user interface component.

[1300] The advice reader typically receives advisories by messagingmechanisms alternative to the usual subscription model, for example bye-mail or other diffusion mechanism.

[1301] The message format omits the humanly interpretable content.

[1302] The message format includes a message component containing asoftware tool, such as a script or executable binary, or a reference toa software tool, such as a URL or a file system pathname, providingfunctionality to be invoked automatically in case a certain conditionbecomes relevant.

[1303] Certain features may be included in this variant:

[1304] Security Feature. The advice reader includes an authenticationfeature to verify the identity of the advice site attempting to exertcoercive privilege.

[1305] Bi-directional Communication Feature. The advice reader includesthe ability to communicate back to the advice Author when the adviceAuthor requires this, as indicated by a Mandated-Action: message line.

[1306] Master-slave Configuration

[1307] In the description of the invention, it is assumed that advice isoffered as a convenience to a human consumer, who acts in a managerialrole to read and act appropriately at his option. In the description, itis assumed implicitly that the consumer is the manager of a personalcomputer and its environment.

[1308] There are settings where the basic communications model describedearlier can be usefully modified to reflect the needs of managers oflarge collections of computational devices. As an example of one suchsetting (see FIG. 25), a network administrator 250 supervises a largenetwork of communicating computational devices 251-253, each one in apotentially different and dynamically changing state. The networkadministrator wants to have an advice reader which functions as a masterreader 254, in which each entry he sees in the master user interfacesummarizes the relevance status of advice on many machines 255, 256simultaneously. This allows the manager to overview 257, 258 and to makedecisions about accepting or rejecting advice on many machines at once.

[1309] In this setting, the network administrator's workstation is amaster machine and the computational devices he manages are slavemachines. It is very desirable to have a master advice reader programrunning on the master machine and which obtains advisories, and whichthen communicates with the slave machines, each one running a slaverelevance evaluator and slave action implementer, and which summarizesthe results of the interaction. These slave relevance evaluators acceptmessages from the master advice reader. The messages consist of wrapperinformation and individual relevance clauses. The slaves evaluate therelevance clauses in the environment defined by their machines andtransmit the resulting values to the master. The master reader thenstudies the results so obtained and, according to a special master userinterface, presents to the network administrator a summary of masterrelevant messages. A message is deemed master relevant if the associatedrelevance clause is true on any slave machine. The network administratorstudies the master relevant messages and may accept the proposed actionsassociated with some of them. When he does so, the master readercommunicates with the slave action evaluator on slave machines on whicha relevant result is obtained, relaying the recommended action part ofthe advisory, and indicating that the action should be taken. Each slaveaction evaluator contacted in this way then applies the indicatedsolution within the environment provided by that machine.

[1310] In this setting, a network administrator subscribes to advice andplays the role of managing the advice process in place of all the usersof the slave machines. If a piece of advice, when relevant under theordinary invention, suggests to a user that certain software should beupdated on that user's machine, then the same advice is presented to thenetwork administrator instead when some machine on the network shouldhave an update, and it effectively proposes that the correspondingsoftware on every such machine be updated.

[1311] In the currently understood best implementation of thisvariation, there are several changes to the usual invention model.:

[1312] The slave relevance evaluator and slave action implementor areimplemented as faceless applications with no user interface component.

[1313] The slave relevance evaluator and slave action implementortypically receive advisories by messaging mechanisms alternative to theusual subscription model, for example by e-mail or other diffusionmechanism.

[1314] The message format for communications between master reader andslave relevance evaluator omit the humanly interpretable content.

[1315] The message format for communications between master reader andslave action implementor include a message component containing asoftware tool, such as a script or executable binary, or a reference toa software tool, such as a URL or a file system pathname, providingfunctionality to be invoked automatically.

[1316] In addition, certain variations may be exercised as well. Theslave advice evaluator and slave action implementor includecryptographic authentication features to verify the identity of themaster attempting to exert coercive privilege.

[1317] Owing to the difference in outlook that a network administratorhas, the Master user interface has features not ordinarily available inthe invention. These include:

[1318] Machine List Display. To display a list of all the machines onwhich a given advisory is relevant. To decorate this list by includingother characteristics of the machines.

[1319] Machine List Filtering. To apply selection mechanisms to the listof relevant machines, allowing to apply the recommended action only to aselected subgroup of machines within the relevant group. Particularlyuseful is the ability to intersect a list of machines with a predefinedlist, e.g. a list of machines in a certain operational division, a listof machines in a certain location, or a list of machines arising asrelevant in some other advisory. It is also important to allow the listof machines to be expanded beyond the relevant machines, allowing bothediting by hand or concatenation with some other list of machines, forexample a predefined list, or a list of machines relevant for some otheradvisory.

[1320] The logical structure described is that of a single body ofadvisories evaluated for relevance in a collection of differentcontexts, where the results in all those different contexts are gatheredtogether in one single master user interface. This logical structuremakes sense in other settings. For example, in the example of druginteractions discussed above, the pharmacist is an administrator, thebody of advisories that he has received from pharmaceuticalmanufacturers are a body to be applied in many different contexts, andeach of his customers database records provide a unique context forinterpretation of the advisories. Here, the context is not of individualmachines but individual records in a database. The master user interfaceis the basis for another variation of the invention, i.e. operating witha specialized database inspector, the master advice reader obtains alist of all the patients for each advisory for whom a given advisory isrelevant. The user interface displays only master-relevant informationto the pharmacist, i.e. advisories relevant for some patient in thedatabase. The pharmacist then views the relevant advisories and inspectsa list of associated patients.

[1321] Although the invention is described herein with reference to thepreferred embodiment, one skilled in the art will readily appreciatethat other applications may be substituted for those set forth hereinwithout departing from the spirit and scope of the present invention.Accordingly, the invention should only be limited by the claims includedbelow.

1. A communications system, comprising: an advice provider whichbroadcasts information over a communications medium; an advice consumerfor gathering said broadcast information from said communication medium;and a reader associated with said advice consumer for determiningrelevance of said broadcast information; wherein said advice consumer isadvised of said information only if said information meets certainpredetermined relevance criteria; wherein said advice consumer maintainsanonymity, privacy, and security by not revealing to said adviceprovider either that said advice consumer is interested in informationfrom said advice provider, that said advice consumer has received anyparticular message, or that said information is relevant to said adviceconsumer.
 2. The system of claim 1, wherein relevant information may bepresented to said advice consumer for review and action, or it may beacted on automatically.
 3. An apparatus for linking an advice providerto an advice consumer, comprising: an advice provider for broadcastingadvice in the form of an advisory describing in terms said adviceconsumer can easily understand the reason that said advisory is relevantand the purpose and effects of an action which is being recommended tosaid advice consumer; a gatherer for gathering advisories for saidadvice consumer; an advice reader associated with an advice consumer forperforming a relevance determination for said advisories to determinethe relevance of said advisories, said determination being made eithercontinuously, at scheduled intervals, or under user manual control. 4.The apparatus of claim 3, further comprising: A display for presentingsaid advice consumer with relevant advisories only.
 5. A communicationsapparatus, comprising: an advisory comprising a relevance clause andcomprising an assertion about an advice consumer computer, its contents,or environment which can be automatically evaluated by comparing saidassertion with said advice consumer computer's actual state; a messageassociated with said relevance clause whose suitability for said adviceconsumer is determined at least partially by evaluation of saidrelevance clause; a gatherer for gathering advisories said adviceconsumer; a watcher for evaluating relevance clauses by checking ifthese point towards or away from relevance; and a notifier fordisplaying messages to said advice consumer under at least partialguidance of an evaluated relevance clause.
 6. The apparatus of claim 5,said advisory further comprising any of: awrapper for packaginginformation in said advisory for transport and subsequent decoding; afrom line for identifying an advice author; a subject line foridentifying the concern of said advisory; a relevance clause forspecifying conditions under which the said is relevant; a message bodyfor providing explanatory material explaining to said advice consumerwhat condition is relevant, why said advice consumer is concerned, andwhat action is recommended; and an action button for providing saidadvice consumer with the ability to invoke an automatic execution of arecommended action.